commit ea00d84a16cb58722527b68ed98015ba0522776b · bretton.dev/coves

+80

internal/core/verification/errors.go

···

       1
       +
       package verification

     

       2
       +
       

     

       3
       +
       import "fmt"

     

       4
       +
       

     

       5
       +
       // InvalidPhoneNumberError indicates phone number format is invalid

     

       6
       +
       type InvalidPhoneNumberError struct {

     

       7
       +
       	Phone string

     

       8
       +
       }

     

       9
       +
       

     

       10
       +
       func (e *InvalidPhoneNumberError) Error() string {

     

       11
       +
       	return fmt.Sprintf("invalid phone number format: %s", e.Phone)

     

       12
       +
       }

     

       13
       +
       

     

       14
       +
       // PhoneAlreadyVerifiedError indicates phone is already verified by another account

     

       15
       +
       type PhoneAlreadyVerifiedError struct {

     

       16
       +
       	PhoneHash string

     

       17
       +
       }

     

       18
       +
       

     

       19
       +
       func (e *PhoneAlreadyVerifiedError) Error() string {

     

       20
       +
       	return "this phone number is already verified by another account"

     

       21
       +
       }

     

       22
       +
       

     

       23
       +
       // RateLimitExceededError indicates too many verification requests

     

       24
       +
       type RateLimitExceededError struct {

     

       25
       +
       	Identifier string

     

       26
       +
       	RetryAfter int // seconds

     

       27
       +
       }

     

       28
       +
       

     

       29
       +
       func (e *RateLimitExceededError) Error() string {

     

       30
       +
       	return fmt.Sprintf("rate limit exceeded, retry after %d seconds", e.RetryAfter)

     

       31
       +
       }

     

       32
       +
       

     

       33
       +
       // SMSDeliveryFailedError indicates SMS failed to send

     

       34
       +
       type SMSDeliveryFailedError struct {

     

       35
       +
       	Reason string

     

       36
       +
       }

     

       37
       +
       

     

       38
       +
       func (e *SMSDeliveryFailedError) Error() string {

     

       39
       +
       	return fmt.Sprintf("failed to send SMS: %s", e.Reason)

     

       40
       +
       }

     

       41
       +
       

     

       42
       +
       // InvalidCodeError indicates OTP code is incorrect

     

       43
       +
       type InvalidCodeError struct{}

     

       44
       +
       

     

       45
       +
       func (e *InvalidCodeError) Error() string {

     

       46
       +
       	return "invalid verification code"

     

       47
       +
       }

     

       48
       +
       

     

       49
       +
       // CodeExpiredError indicates OTP code has expired

     

       50
       +
       type CodeExpiredError struct{}

     

       51
       +
       

     

       52
       +
       func (e *CodeExpiredError) Error() string {

     

       53
       +
       	return "verification code has expired"

     

       54
       +
       }

     

       55
       +
       

     

       56
       +
       // RequestNotFoundError indicates request ID not found

     

       57
       +
       type RequestNotFoundError struct {

     

       58
       +
       	RequestID string

     

       59
       +
       }

     

       60
       +
       

     

       61
       +
       func (e *RequestNotFoundError) Error() string {

     

       62
       +
       	return fmt.Sprintf("verification request not found: %s", e.RequestID)

     

       63
       +
       }

     

       64
       +
       

     

       65
       +
       // TooManyAttemptsError indicates too many failed verification attempts

     

       66
       +
       type TooManyAttemptsError struct{}

     

       67
       +
       

     

       68
       +
       func (e *TooManyAttemptsError) Error() string {

     

       69
       +
       	return "too many failed attempts, please request a new code"

     

       70
       +
       }

     

       71
       +
       

     

       72
       +
       // PDSWriteFailedError indicates failure to write to PDS

     

       73
       +
       type PDSWriteFailedError struct {

     

       74
       +
       	DID    string

     

       75
       +
       	Reason string

     

       76
       +
       }

     

       77
       +
       

     

       78
       +
       func (e *PDSWriteFailedError) Error() string {

     

       79
       +
       	return fmt.Sprintf("failed to write verification to PDS for %s: %s", e.DID, e.Reason)

     

       80
       +
       }

+139

internal/core/verification/interfaces.go

···

       1
       +
       package verification

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"time"

     

       6
       +
       )

     

       7
       +
       

     

       8
       +
       // VerificationService handles phone verification operations

     

       9
       +
       type VerificationService interface {

     

       10
       +
       	// RequestPhoneVerification sends an OTP code to the provided phone number

     

       11
       +
       	RequestPhoneVerification(ctx context.Context, did, phoneNumber string) (*VerificationRequest, error)

     

       12
       +
       

     

       13
       +
       	// VerifyPhone validates the OTP code and writes verification to PDS

     

       14
       +
       	VerifyPhone(ctx context.Context, did, requestID, code string) (*VerificationResult, error)

     

       15
       +
       

     

       16
       +
       	// GetVerificationStatus retrieves current verification status for a user

     

       17
       +
       	GetVerificationStatus(ctx context.Context, did string) (*VerificationStatus, error)

     

       18
       +
       

     

       19
       +
       	// CheckPhoneAvailability checks if phone number is already verified by another account

     

       20
       +
       	CheckPhoneAvailability(ctx context.Context, phoneNumber string) (bool, error)

     

       21
       +
       }

     

       22
       +
       

     

       23
       +
       // VerificationRepository handles persistence of verification data

     

       24
       +
       type VerificationRepository interface {

     

       25
       +
       	// StoreVerificationRequest saves a pending verification request

     

       26
       +
       	StoreVerificationRequest(ctx context.Context, req *VerificationRequest) error

     

       27
       +
       

     

       28
       +
       	// GetVerificationRequest retrieves a pending request by ID

     

       29
       +
       	GetVerificationRequest(ctx context.Context, requestID string) (*VerificationRequest, error)

     

       30
       +
       

     

       31
       +
       	// IncrementAttempts increments the failed attempt counter

     

       32
       +
       	IncrementAttempts(ctx context.Context, requestID string) error

     

       33
       +
       

     

       34
       +
       	// DeleteVerificationRequest removes a pending request

     

       35
       +
       	DeleteVerificationRequest(ctx context.Context, requestID string) error

     

       36
       +
       

     

       37
       +
       	// StoreVerification saves a completed verification

     

       38
       +
       	StoreVerification(ctx context.Context, verification *PhoneVerification) error

     

       39
       +
       

     

       40
       +
       	// GetVerification retrieves verification by DID

     

       41
       +
       	GetVerification(ctx context.Context, did string) (*PhoneVerification, error)

     

       42
       +
       

     

       43
       +
       	// GetVerificationByPhoneHash retrieves verification by phone hash

     

       44
       +
       	GetVerificationByPhoneHash(ctx context.Context, phoneHash string) (*PhoneVerification, error)

     

       45
       +
       

     

       46
       +
       	// CheckRateLimit checks if DID or phone has exceeded rate limits

     

       47
       +
       	CheckRateLimit(ctx context.Context, identifier string, limit int, window time.Duration) (bool, error)

     

       48
       +
       

     

       49
       +
       	// RecordRateLimitAttempt records a verification attempt for rate limiting

     

       50
       +
       	RecordRateLimitAttempt(ctx context.Context, identifier string) error

     

       51
       +
       

     

       52
       +
       	// LogAuditEvent records an audit event

     

       53
       +
       	LogAuditEvent(ctx context.Context, event *AuditEvent) error

     

       54
       +
       }

     

       55
       +
       

     

       56
       +
       // SMSProvider handles sending SMS messages

     

       57
       +
       type SMSProvider interface {

     

       58
       +
       	// SendOTP sends an OTP code via SMS

     

       59
       +
       	SendOTP(ctx context.Context, phoneNumber, code string) error

     

       60
       +
       }

     

       61
       +
       

     

       62
       +
       // SignatureService handles cryptographic signing of verifications

     

       63
       +
       type SignatureService interface {

     

       64
       +
       	// SignVerification creates a signature over verification data

     

       65
       +
       	SignVerification(ctx context.Context, verification *VerificationData) (string, error)

     

       66
       +
       

     

       67
       +
       	// GetVerifierDID returns the DID used for signing

     

       68
       +
       	GetVerifierDID() string

     

       69
       +
       }

     

       70
       +
       

     

       71
       +
       // PDSWriter handles writing verification records to user's PDS

     

       72
       +
       type PDSWriter interface {

     

       73
       +
       	// WriteVerificationToProfile writes verification to user's PDS profile

     

       74
       +
       	WriteVerificationToProfile(ctx context.Context, did string, verification *SignedVerification) error

     

       75
       +
       }

     

       76
       +
       

     

       77
       +
       // VerificationRequest represents a pending phone verification

     

       78
       +
       type VerificationRequest struct {

     

       79
       +
       	RequestID    string

     

       80
       +
       	DID          string

     

       81
       +
       	PhoneHash    string

     

       82
       +
       	OTPCodeHash  string

     

       83
       +
       	Attempts     int

     

       84
       +
       	CreatedAt    time.Time

     

       85
       +
       	ExpiresAt    time.Time

     

       86
       +
       }

     

       87
       +
       

     

       88
       +
       // PhoneVerification represents a completed phone verification

     

       89
       +
       type PhoneVerification struct {

     

       90
       +
       	DID        string

     

       91
       +
       	PhoneHash  string

     

       92
       +
       	VerifiedAt time.Time

     

       93
       +
       	ExpiresAt  time.Time

     

       94
       +
       }

     

       95
       +
       

     

       96
       +
       // VerificationData is the data that gets signed

     

       97
       +
       type VerificationData struct {

     

       98
       +
       	Type       string    // "phone"

     

       99
       +
       	VerifiedBy string    // DID of verifier

     

       100
       +
       	VerifiedAt time.Time

     

       101
       +
       	ExpiresAt  time.Time

     

       102
       +
       	SubjectDID string    // DID being verified

     

       103
       +
       }

     

       104
       +
       

     

       105
       +
       // SignedVerification is written to PDS profile

     

       106
       +
       type SignedVerification struct {

     

       107
       +
       	Type       string                 `json:"type"`

     

       108
       +
       	VerifiedBy string                 `json:"verifiedBy"`

     

       109
       +
       	VerifiedAt string                 `json:"verifiedAt"` // RFC3339

     

       110
       +
       	ExpiresAt  string                 `json:"expiresAt"`  // RFC3339

     

       111
       +
       	Signature  string                 `json:"signature"`

     

       112
       +
       	Metadata   map[string]interface{} `json:"metadata,omitempty"`

     

       113
       +
       }

     

       114
       +
       

     

       115
       +
       // VerificationResult is returned after successful verification

     

       116
       +
       type VerificationResult struct {

     

       117
       +
       	Verified   bool

     

       118
       +
       	VerifiedAt time.Time

     

       119
       +
       	ExpiresAt  time.Time

     

       120
       +
       }

     

       121
       +
       

     

       122
       +
       // VerificationStatus represents current verification state

     

       123
       +
       type VerificationStatus struct {

     

       124
       +
       	HasVerifiedPhone bool

     

       125
       +
       	VerifiedAt       *time.Time

     

       126
       +
       	ExpiresAt        *time.Time

     

       127
       +
       	NeedsRenewal     bool

     

       128
       +
       }

     

       129
       +
       

     

       130
       +
       // AuditEvent represents a security audit event

     

       131
       +
       type AuditEvent struct {

     

       132
       +
       	DID        *string

     

       133
       +
       	EventType  string // 'request_sent', 'verification_success', 'verification_failed', 'rate_limit_hit'

     

       134
       +
       	PhoneHash  *string

     

       135
       +
       	IPAddress  *string

     

       136
       +
       	UserAgent  *string

     

       137
       +
       	Metadata   map[string]interface{}

     

       138
       +
       	CreatedAt  time.Time

     

       139
       +
       }

+325

internal/core/verification/service.go

···

       1
       +
       package verification

     

       2
       +
       

     

       3
       +
       import (

     

       4
       +
       	"context"

     

       5
       +
       	"crypto/rand"

     

       6
       +
       	"crypto/subtle"

     

       7
       +
       	"fmt"

     

       8
       +
       	"math/big"

     

       9
       +
       	"regexp"

     

       10
       +
       	"time"

     

       11
       +
       

     

       12
       +
       	"golang.org/x/crypto/bcrypt"

     

       13
       +
       )

     

       14
       +
       

     

       15
       +
       const (

     

       16
       +
       	OTPLength        = 6

     

       17
       +
       	OTPExpiryMinutes = 10

     

       18
       +
       	MaxAttempts      = 3

     

       19
       +
       	VerificationTTL  = 365 * 24 * time.Hour // 1 year

     

       20
       +
       

     

       21
       +
       	// Rate limits

     

       22
       +
       	RateLimitPerPhone = 3              // Max 3 requests per phone per hour

     

       23
       +
       	RateLimitPerDID   = 5              // Max 5 requests per DID per day

     

       24
       +
       	PhoneRateWindow   = 1 * time.Hour

     

       25
       +
       	DIDRateWindow     = 24 * time.Hour

     

       26
       +
       )

     

       27
       +
       

     

       28
       +
       var (

     

       29
       +
       	// E.164 phone number regex (basic validation)

     

       30
       +
       	e164Regex = regexp.MustCompile(`^\+[1-9]\d{1,14}$`)

     

       31
       +
       )

     

       32
       +
       

     

       33
       +
       // verificationService implements VerificationService

     

       34
       +
       type verificationService struct {

     

       35
       +
       	repo         VerificationRepository

     

       36
       +
       	smsProvider  SMSProvider

     

       37
       +
       	signer       SignatureService

     

       38
       +
       	pdsWriter    PDSWriter

     

       39
       +
       	hashProvider PhoneHashProvider

     

       40
       +
       }

     

       41
       +
       

     

       42
       +
       // PhoneHashProvider handles phone number hashing

     

       43
       +
       type PhoneHashProvider interface {

     

       44
       +
       	HashPhone(phoneNumber string) string

     

       45
       +
       }

     

       46
       +
       

     

       47
       +
       // NewVerificationService creates a new verification service

     

       48
       +
       func NewVerificationService(

     

       49
       +
       	repo VerificationRepository,

     

       50
       +
       	smsProvider SMSProvider,

     

       51
       +
       	signer SignatureService,

     

       52
       +
       	pdsWriter PDSWriter,

     

       53
       +
       	hashProvider PhoneHashProvider,

     

       54
       +
       ) VerificationService {

     

       55
       +
       	return &verificationService{

     

       56
       +
       		repo:         repo,

     

       57
       +
       		smsProvider:  smsProvider,

     

       58
       +
       		signer:       signer,

     

       59
       +
       		pdsWriter:    pdsWriter,

     

       60
       +
       		hashProvider: hashProvider,

     

       61
       +
       	}

     

       62
       +
       }

     

       63
       +
       

     

       64
       +
       // RequestPhoneVerification sends an OTP code to the provided phone number

     

       65
       +
       func (s *verificationService) RequestPhoneVerification(ctx context.Context, did, phoneNumber string) (*VerificationRequest, error) {

     

       66
       +
       	// Validate phone number format

     

       67
       +
       	if !e164Regex.MatchString(phoneNumber) {

     

       68
       +
       		return nil, &InvalidPhoneNumberError{Phone: phoneNumber}

     

       69
       +
       	}

     

       70
       +
       

     

       71
       +
       	phoneHash := s.hashProvider.HashPhone(phoneNumber)

     

       72
       +
       

     

       73
       +
       	// Check if phone is already verified by another account

     

       74
       +
       	existingVerification, err := s.repo.GetVerificationByPhoneHash(ctx, phoneHash)

     

       75
       +
       	if err == nil && existingVerification != nil && existingVerification.DID != did {

     

       76
       +
       		return nil, &PhoneAlreadyVerifiedError{PhoneHash: phoneHash}

     

       77
       +
       	}

     

       78
       +
       

     

       79
       +
       	// Check rate limits (per phone)

     

       80
       +
       	phoneExceeded, err := s.repo.CheckRateLimit(ctx, "phone:"+phoneHash, RateLimitPerPhone, PhoneRateWindow)

     

       81
       +
       	if err != nil {

     

       82
       +
       		return nil, fmt.Errorf("failed to check phone rate limit: %w", err)

     

       83
       +
       	}

     

       84
       +
       	if phoneExceeded {

     

       85
       +
       		// Log audit event

     

       86
       +
       		_ = s.repo.LogAuditEvent(ctx, &AuditEvent{

     

       87
       +
       			DID:       &did,

     

       88
       +
       			EventType: "rate_limit_hit",

     

       89
       +
       			PhoneHash: &phoneHash,

     

       90
       +
       			Metadata:  map[string]interface{}{"limit_type": "phone"},

     

       91
       +
       			CreatedAt: time.Now(),

     

       92
       +
       		})

     

       93
       +
       		return nil, &RateLimitExceededError{Identifier: "phone", RetryAfter: 3600}

     

       94
       +
       	}

     

       95
       +
       

     

       96
       +
       	// Check rate limits (per DID)

     

       97
       +
       	didExceeded, err := s.repo.CheckRateLimit(ctx, "did:"+did, RateLimitPerDID, DIDRateWindow)

     

       98
       +
       	if err != nil {

     

       99
       +
       		return nil, fmt.Errorf("failed to check DID rate limit: %w", err)

     

       100
       +
       	}

     

       101
       +
       	if didExceeded {

     

       102
       +
       		_ = s.repo.LogAuditEvent(ctx, &AuditEvent{

     

       103
       +
       			DID:       &did,

     

       104
       +
       			EventType: "rate_limit_hit",

     

       105
       +
       			PhoneHash: &phoneHash,

     

       106
       +
       			Metadata:  map[string]interface{}{"limit_type": "did"},

     

       107
       +
       			CreatedAt: time.Now(),

     

       108
       +
       		})

     

       109
       +
       		return nil, &RateLimitExceededError{Identifier: "did", RetryAfter: 86400}

     

       110
       +
       	}

     

       111
       +
       

     

       112
       +
       	// Generate OTP code

     

       113
       +
       	otpCode, err := generateOTP(OTPLength)

     

       114
       +
       	if err != nil {

     

       115
       +
       		return nil, fmt.Errorf("failed to generate OTP: %w", err)

     

       116
       +
       	}

     

       117
       +
       

     

       118
       +
       	// Hash OTP code for storage

     

       119
       +
       	otpHash, err := bcrypt.GenerateFromPassword([]byte(otpCode), bcrypt.DefaultCost)

     

       120
       +
       	if err != nil {

     

       121
       +
       		return nil, fmt.Errorf("failed to hash OTP: %w", err)

     

       122
       +
       	}

     

       123
       +
       

     

       124
       +
       	// Create verification request

     

       125
       +
       	req := &VerificationRequest{

     

       126
       +
       		RequestID:   generateRequestID(),

     

       127
       +
       		DID:         did,

     

       128
       +
       		PhoneHash:   phoneHash,

     

       129
       +
       		OTPCodeHash: string(otpHash),

     

       130
       +
       		Attempts:    0,

     

       131
       +
       		CreatedAt:   time.Now(),

     

       132
       +
       		ExpiresAt:   time.Now().Add(OTPExpiryMinutes * time.Minute),

     

       133
       +
       	}

     

       134
       +
       

     

       135
       +
       	// Store request

     

       136
       +
       	if err := s.repo.StoreVerificationRequest(ctx, req); err != nil {

     

       137
       +
       		return nil, fmt.Errorf("failed to store verification request: %w", err)

     

       138
       +
       	}

     

       139
       +
       

     

       140
       +
       	// Send SMS

     

       141
       +
       	if err := s.smsProvider.SendOTP(ctx, phoneNumber, otpCode); err != nil {

     

       142
       +
       		// Log failed SMS delivery

     

       143
       +
       		_ = s.repo.LogAuditEvent(ctx, &AuditEvent{

     

       144
       +
       			DID:       &did,

     

       145
       +
       			EventType: "sms_delivery_failed",

     

       146
       +
       			PhoneHash: &phoneHash,

     

       147
       +
       			Metadata:  map[string]interface{}{"error": err.Error()},

     

       148
       +
       			CreatedAt: time.Now(),

     

       149
       +
       		})

     

       150
       +
       		return nil, &SMSDeliveryFailedError{Reason: err.Error()}

     

       151
       +
       	}

     

       152
       +
       

     

       153
       +
       	// Record rate limit attempt

     

       154
       +
       	_ = s.repo.RecordRateLimitAttempt(ctx, "phone:"+phoneHash)

     

       155
       +
       	_ = s.repo.RecordRateLimitAttempt(ctx, "did:"+did)

     

       156
       +
       

     

       157
       +
       	// Log audit event

     

       158
       +
       	_ = s.repo.LogAuditEvent(ctx, &AuditEvent{

     

       159
       +
       		DID:       &did,

     

       160
       +
       		EventType: "request_sent",

     

       161
       +
       		PhoneHash: &phoneHash,

     

       162
       +
       		CreatedAt: time.Now(),

     

       163
       +
       	})

     

       164
       +
       

     

       165
       +
       	return req, nil

     

       166
       +
       }

     

       167
       +
       

     

       168
       +
       // VerifyPhone validates the OTP code and writes verification to PDS

     

       169
       +
       func (s *verificationService) VerifyPhone(ctx context.Context, did, requestID, code string) (*VerificationResult, error) {

     

       170
       +
       	// Retrieve verification request

     

       171
       +
       	req, err := s.repo.GetVerificationRequest(ctx, requestID)

     

       172
       +
       	if err != nil {

     

       173
       +
       		return nil, &RequestNotFoundError{RequestID: requestID}

     

       174
       +
       	}

     

       175
       +
       

     

       176
       +
       	// Check if request belongs to this DID

     

       177
       +
       	if req.DID != did {

     

       178
       +
       		return nil, &RequestNotFoundError{RequestID: requestID}

     

       179
       +
       	}

     

       180
       +
       

     

       181
       +
       	// Check if expired

     

       182
       +
       	if time.Now().After(req.ExpiresAt) {

     

       183
       +
       		_ = s.repo.DeleteVerificationRequest(ctx, requestID)

     

       184
       +
       		return nil, &CodeExpiredError{}

     

       185
       +
       	}

     

       186
       +
       

     

       187
       +
       	// Check attempt limit

     

       188
       +
       	if req.Attempts >= MaxAttempts {

     

       189
       +
       		_ = s.repo.DeleteVerificationRequest(ctx, requestID)

     

       190
       +
       		return nil, &TooManyAttemptsError{}

     

       191
       +
       	}

     

       192
       +
       

     

       193
       +
       	// Verify OTP code (constant-time comparison)

     

       194
       +
       	err = bcrypt.CompareHashAndPassword([]byte(req.OTPCodeHash), []byte(code))

     

       195
       +
       	if err != nil {

     

       196
       +
       		// Increment attempts

     

       197
       +
       		_ = s.repo.IncrementAttempts(ctx, requestID)

     

       198
       +
       

     

       199
       +
       		// Log failed verification

     

       200
       +
       		_ = s.repo.LogAuditEvent(ctx, &AuditEvent{

     

       201
       +
       			DID:       &did,

     

       202
       +
       			EventType: "verification_failed",

     

       203
       +
       			PhoneHash: &req.PhoneHash,

     

       204
       +
       			Metadata:  map[string]interface{}{"attempts": req.Attempts + 1},

     

       205
       +
       			CreatedAt: time.Now(),

     

       206
       +
       		})

     

       207
       +
       

     

       208
       +
       		return nil, &InvalidCodeError{}

     

       209
       +
       	}

     

       210
       +
       

     

       211
       +
       	// Code is valid - create verification

     

       212
       +
       	now := time.Now()

     

       213
       +
       	expiresAt := now.Add(VerificationTTL)

     

       214
       +
       

     

       215
       +
       	// Create verification data for signing

     

       216
       +
       	verificationData := &VerificationData{

     

       217
       +
       		Type:       "phone",

     

       218
       +
       		VerifiedBy: s.signer.GetVerifierDID(),

     

       219
       +
       		VerifiedAt: now,

     

       220
       +
       		ExpiresAt:  expiresAt,

     

       221
       +
       		SubjectDID: did,

     

       222
       +
       	}

     

       223
       +
       

     

       224
       +
       	// Sign verification

     

       225
       +
       	signature, err := s.signer.SignVerification(ctx, verificationData)

     

       226
       +
       	if err != nil {

     

       227
       +
       		return nil, fmt.Errorf("failed to sign verification: %w", err)

     

       228
       +
       	}

     

       229
       +
       

     

       230
       +
       	// Create signed verification for PDS

     

       231
       +
       	signedVerification := &SignedVerification{

     

       232
       +
       		Type:       verificationData.Type,

     

       233
       +
       		VerifiedBy: verificationData.VerifiedBy,

     

       234
       +
       		VerifiedAt: verificationData.VerifiedAt.Format(time.RFC3339),

     

       235
       +
       		ExpiresAt:  verificationData.ExpiresAt.Format(time.RFC3339),

     

       236
       +
       		Signature:  signature,

     

       237
       +
       	}

     

       238
       +
       

     

       239
       +
       	// Write to PDS profile

     

       240
       +
       	if err := s.pdsWriter.WriteVerificationToProfile(ctx, did, signedVerification); err != nil {

     

       241
       +
       		return nil, &PDSWriteFailedError{DID: did, Reason: err.Error()}

     

       242
       +
       	}

     

       243
       +
       

     

       244
       +
       	// Store verification in AppView database

     

       245
       +
       	phoneVerification := &PhoneVerification{

     

       246
       +
       		DID:        did,

     

       247
       +
       		PhoneHash:  req.PhoneHash,

     

       248
       +
       		VerifiedAt: now,

     

       249
       +
       		ExpiresAt:  expiresAt,

     

       250
       +
       	}

     

       251
       +
       	if err := s.repo.StoreVerification(ctx, phoneVerification); err != nil {

     

       252
       +
       		return nil, fmt.Errorf("failed to store verification: %w", err)

     

       253
       +
       	}

     

       254
       +
       

     

       255
       +
       	// Clean up request

     

       256
       +
       	_ = s.repo.DeleteVerificationRequest(ctx, requestID)

     

       257
       +
       

     

       258
       +
       	// Log successful verification

     

       259
       +
       	_ = s.repo.LogAuditEvent(ctx, &AuditEvent{

     

       260
       +
       		DID:       &did,

     

       261
       +
       		EventType: "verification_success",

     

       262
       +
       		PhoneHash: &req.PhoneHash,

     

       263
       +
       		CreatedAt: time.Now(),

     

       264
       +
       	})

     

       265
       +
       

     

       266
       +
       	return &VerificationResult{

     

       267
       +
       		Verified:   true,

     

       268
       +
       		VerifiedAt: now,

     

       269
       +
       		ExpiresAt:  expiresAt,

     

       270
       +
       	}, nil

     

       271
       +
       }

     

       272
       +
       

     

       273
       +
       // GetVerificationStatus retrieves current verification status for a user

     

       274
       +
       func (s *verificationService) GetVerificationStatus(ctx context.Context, did string) (*VerificationStatus, error) {

     

       275
       +
       	verification, err := s.repo.GetVerification(ctx, did)

     

       276
       +
       	if err != nil || verification == nil {

     

       277
       +
       		return &VerificationStatus{

     

       278
       +
       			HasVerifiedPhone: false,

     

       279
       +
       		}, nil

     

       280
       +
       	}

     

       281
       +
       

     

       282
       +
       	// Check if verification has expired

     

       283
       +
       	if time.Now().After(verification.ExpiresAt) {

     

       284
       +
       		return &VerificationStatus{

     

       285
       +
       			HasVerifiedPhone: false,

     

       286
       +
       		}, nil

     

       287
       +
       	}

     

       288
       +
       

     

       289
       +
       	// Check if renewal needed (within 30 days of expiry)

     

       290
       +
       	needsRenewal := time.Until(verification.ExpiresAt) < 30*24*time.Hour

     

       291
       +
       

     

       292
       +
       	return &VerificationStatus{

     

       293
       +
       		HasVerifiedPhone: true,

     

       294
       +
       		VerifiedAt:       &verification.VerifiedAt,

     

       295
       +
       		ExpiresAt:        &verification.ExpiresAt,

     

       296
       +
       		NeedsRenewal:     needsRenewal,

     

       297
       +
       	}, nil

     

       298
       +
       }

     

       299
       +
       

     

       300
       +
       // CheckPhoneAvailability checks if phone number is already verified

     

       301
       +
       func (s *verificationService) CheckPhoneAvailability(ctx context.Context, phoneNumber string) (bool, error) {

     

       302
       +
       	phoneHash := s.hashProvider.HashPhone(phoneNumber)

     

       303
       +
       	verification, err := s.repo.GetVerificationByPhoneHash(ctx, phoneHash)

     

       304
       +
       	if err != nil {

     

       305
       +
       		return false, err

     

       306
       +
       	}

     

       307
       +
       	return verification == nil, nil

     

       308
       +
       }

     

       309
       +
       

     

       310
       +
       // generateOTP generates a cryptographically secure numeric OTP

     

       311
       +
       func generateOTP(length int) (string, error) {

     

       312
       +
       	max := new(big.Int).Exp(big.NewInt(10), big.NewInt(int64(length)), nil)

     

       313
       +
       	n, err := rand.Int(rand.Reader, max)

     

       314
       +
       	if err != nil {

     

       315
       +
       		return "", err

     

       316
       +
       	}

     

       317
       +
       	return fmt.Sprintf("%0*d", length, n), nil

     

       318
       +
       }

     

       319
       +
       

     

       320
       +
       // generateRequestID generates a unique request ID

     

       321
       +
       func generateRequestID() string {

     

       322
       +
       	b := make([]byte, 16)

     

       323
       +
       	rand.Read(b)

     

       324
       +
       	return fmt.Sprintf("%x", b)

     

       325
       +
       }