Purpose

Verify OTP & prolongation authentication process (return access_token for getting approvals) .

Request parameters

• user_id
• otp
• token

Logic WS

• Validate token (2fa_access_token) - ???? 
  • If invalid - return error 4xx 
• Validate user id & user status

• Get active 2FA item for non-blocked user by $.user_id

  SELECT *
  FROM authentication_factors AS 2FA
  WHERE 
  	2FA.user_id = $.user_id
  		AND 2FA.is_active = TRUE

  • If not found - return 409 error "Not found 2FA data for user"
• Extract type & factor from 2FA item for user
• Invoke internal function `verify OTP (key, code)`, for 2FA.type = SMS, with params:
  • key = 2FA.faсtor
  • code = $.otp
• Get result of call `verify OTP()`  
• If result = VERIFIED
  • Update user (set values) by $.user_id

    • users.priv_settings.otp_error_counter = 0

  • Update 2fa_access_token (set `tokens.details.used`=true)
  • Create & return new access_token (as a existing standart process without 2FA)
  • Return 200
• If result = UNVERIFIED
  • Update user (set values) by $.user_id
    • Increment `users.priv_settings.otp_error_counter` (+1)
  • If `users.priv_settings.otp_error_counter` > USER_OTP_ERROR_MAX
    • Blocked user - update user (set values) by $.user_id
      • is_blocked = TRUE
      • block_reason = "OTP verify attempts more then USER_OTP_ERROR_MAX"
      • updated_at = now()
  • return 401 error

Internal logic for `verify OTP()`

• Find 1 active OTP (status = NEW) for $.key
  • If not found - return 409 error "Not found active OTP" - ??? or 401 ?
  • If found -  increment  `attempts_count` (+1) for this OTP
    
    • If OTP.code = $.code - update OTP item:
      • OTP status  ( NEW → VERIFIED)
      • updated_at = now()
    • If (OTP.code <> $.code ) AND (OTP.attempts_count > OTP_ERROR_MAX ) 
      • Update OTP item
        • status ( NEW → UNVERIFIED)
        • updated_at = now()

Response

• 200 if OTP successful create & send 
• 4xx in other case