# Phone-Only Registration APIThis document describes the new phone-only regi

1. # Phone-Only Registration API
2.  
3. This document describes the new phone-only registration and OTP-based authentication endpoints added to the AuthController.
4.  
5. ## Overview
6.  
7. The system now supports two registration methods:
8. 1. **Traditional Registration**: Email, password, name, and phone (existing)
9. 2. **Phone-Only Registration**: Only phone number with OTP verification (new)
10.  
11. ## New Endpoints
12.  
13. ### 1. Register with Phone Only
14. **POST** `/api/auth/register-phone`
15.  
16. Register a user with only a phone number. An OTP will be sent for verification.
17.  
18. **Request Body:**
19. ```json
20. {
21.   "phone": "+1234567890"
22. }
23. ```
24.  
25. **Response:**
26. ```json
27. {
28.   "message": "OTP sent to your phone. Please verify to complete registration.",
29.   "success": true
30. }
31. ```
32.  
33. ### 2. Verify OTP (Complete Registration)
34. **POST** `/api/auth/verify-otp`
35.  
36. Verify the OTP to complete phone-only registration and receive a JWT token.
37.  
38. **Request Body:**
39. ```json
40. {
41.   "phone": "+1234567890",
42.   "otp": "123456"
43. }
44. ```
45.  
46. **Response:**
47. ```json
48. {
49.   "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
50. }
51. ```
52.  
53. ### 3. Login with Phone (Request OTP)
54. **POST** `/api/auth/login-phone`
55.  
56. Request an OTP for login with a verified phone number.
57.  
58. **Request Body:**
59. ```json
60. {
61.   "phone": "+1234567890"
62. }
63. ```
64.  
65. **Response:**
66. ```json
67. {
68.   "message": "OTP sent to your phone for login.",
69.   "success": true
70. }
71. ```
72.  
73. ### 4. Verify Login OTP
74. **POST** `/api/auth/verify-login-otp`
75.  
76. Verify the login OTP and receive a JWT token.
77.  
78. **Request Body:**
79. ```json
80. {
81.   "phone": "+1234567890",
82.   "otp": "123456"
83. }
84. ```
85.  
86. **Response:**
87. ```json
88. {
89.   "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
90. }
91. ```
92.  
93. ## Registration Flow
94.  
95. ### Phone-Only Registration Flow:
96. 1. User calls `/api/auth/register-phone` with phone number
97. 2. System creates user record with phone (email, password, name are null)
98. 3. OTP is generated and sent to phone (currently logged to console)
99. 4. User calls `/api/auth/verify-otp` with phone and OTP
100. 5. System verifies OTP, marks phone as verified, and returns JWT token
101. 6. User is now registered and authenticated
102.  
103. ### Phone-Only Login Flow:
104. 1. User calls `/api/auth/login-phone` with phone number
105. 2. System verifies phone is registered and verified
106. 3. OTP is generated and sent to phone
107. 4. User calls `/api/auth/verify-login-otp` with phone and OTP
108. 5. System verifies OTP and returns JWT token
109. 6. User is now authenticated
110.  
111. ## Database Changes
112.  
113. The User entity has been updated:
114. - `email` field is now nullable
115. - `passwordHash` field is now nullable
116. - `phone` field is now unique and required
117. - Added `phoneVerified` boolean field
118.  
119. ## OTP Service
120.  
121. - OTPs are 6-digit numbers
122. - OTPs expire after 5 minutes
123. - OTPs are stored in memory (for production, consider Redis or database storage)
124. - For development, OTPs are logged to console
125.  
126. ## Security Notes
127.  
128. 1. Phone numbers are used as JWT subjects for phone-only users
129. 2. Phone verification is required before login
130. 3. OTPs are automatically removed after successful verification
131. 4. Expired OTPs are automatically cleaned up on verification attempts
132.  
133. ## Error Handling
134.  
135. - Invalid or expired OTP: Returns 401 Unauthorized
136. - Phone already registered: Returns 400 Bad Request
137. - Phone not registered/verified: Returns 400 Bad Request
138. - Missing required fields: Returns 400 Bad Request