# Phone-Only Registration API This document describes the new phone-only registration and OTP-based authentication endpoints added to the AuthController. ## Overview The system now supports two registration methods: 1. **Traditional Registration**: Email, password, name, and phone (existing) 2. **Phone-Only Registration**: Only phone number with OTP verification (new) ## New Endpoints ### 1. Register with Phone Only **POST** `/api/auth/register-phone` Register a user with only a phone number. An OTP will be sent for verification. **Request Body:** ```json { "phone": "+1234567890" } ``` **Response:** ```json { "message": "OTP sent to your phone. Please verify to complete registration.", "success": true } ``` ### 2. Verify OTP (Complete Registration) **POST** `/api/auth/verify-otp` Verify the OTP to complete phone-only registration and receive a JWT token. **Request Body:** ```json { "phone": "+1234567890", "otp": "123456" } ``` **Response:** ```json { "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." } ``` ### 3. Login with Phone (Request OTP) **POST** `/api/auth/login-phone` Request an OTP for login with a verified phone number. **Request Body:** ```json { "phone": "+1234567890" } ``` **Response:** ```json { "message": "OTP sent to your phone for login.", "success": true } ``` ### 4. Verify Login OTP **POST** `/api/auth/verify-login-otp` Verify the login OTP and receive a JWT token. **Request Body:** ```json { "phone": "+1234567890", "otp": "123456" } ``` **Response:** ```json { "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." } ``` ## Registration Flow ### Phone-Only Registration Flow: 1. User calls `/api/auth/register-phone` with phone number 2. System creates user record with phone (email, password, name are null) 3. OTP is generated and sent to phone (currently logged to console) 4. User calls `/api/auth/verify-otp` with phone and OTP 5. System verifies OTP, marks phone as verified, and returns JWT token 6. User is now registered and authenticated ### Phone-Only Login Flow: 1. User calls `/api/auth/login-phone` with phone number 2. System verifies phone is registered and verified 3. OTP is generated and sent to phone 4. User calls `/api/auth/verify-login-otp` with phone and OTP 5. System verifies OTP and returns JWT token 6. User is now authenticated ## Database Changes The User entity has been updated: - `email` field is now nullable - `passwordHash` field is now nullable - `phone` field is now unique and required - Added `phoneVerified` boolean field ## OTP Service - OTPs are 6-digit numbers - OTPs expire after 5 minutes - OTPs are stored in memory (for production, consider Redis or database storage) - For development, OTPs are logged to console ## Security Notes 1. Phone numbers are used as JWT subjects for phone-only users 2. Phone verification is required before login 3. OTPs are automatically removed after successful verification 4. Expired OTPs are automatically cleaned up on verification attempts ## Error Handling - Invalid or expired OTP: Returns 401 Unauthorized - Phone already registered: Returns 400 Bad Request - Phone not registered/verified: Returns 400 Bad Request - Missing required fields: Returns 400 Bad Request