New code verification service

api/server/internal/api/api.go

@@ -12,6 +12,7 @@ import (
 	"github.com/tech/sendico/pkg/mservice"
 	"github.com/tech/sendico/server/interface/api"
 	"github.com/tech/sendico/server/interface/services/account"
+	"github.com/tech/sendico/server/interface/services/confirmation"
 	"github.com/tech/sendico/server/interface/services/invitation"
 	"github.com/tech/sendico/server/interface/services/logo"
 	"github.com/tech/sendico/server/interface/services/organization"
@@ -76,6 +77,7 @@ func (a *APIImp) installServices() error {
 	srvf := make([]api.MicroServiceFactoryT, 0)
 
 	srvf = append(srvf, account.Create)
+	srvf = append(srvf, confirmation.Create)
 	srvf = append(srvf, organization.Create)
 	srvf = append(srvf, invitation.Create)
 	srvf = append(srvf, logo.Create)

api/server/internal/api/middleware.go

@@ -45,6 +45,10 @@ func (mw *Middleware) AccountHandler(service mservice.Type, endpoint string, met
 	mw.epdispatcher.AccountHandler(service, endpoint, method, handler)
 }
 
+func (mw *Middleware) PendingAccountHandler(service mservice.Type, endpoint string, method api.HTTPMethod, handler sresponse.PendingAccountHandlerFunc) {
+	mw.epdispatcher.PendingAccountHandler(service, endpoint, method, handler)
+}
+
 func (mw *Middleware) WSHandler(messageType string, handler wsh.HandlerFunc) {
 	mw.wshandler.InstallHandler(messageType, handler)
 }
@@ -133,7 +137,13 @@ func CreateMiddleware(logger mlogger.Logger, db db.Factory, enforcer auth.Enforc
 		return nil, err
 	}
 
-	p.epdispatcher = routers.NewDispatcher(p.logger, p.router, adb, rtdb, enforcer, config)
+	cdb, err := db.NewConfirmationsDB()
+	if err != nil {
+		p.logger.Error("Failed to create confirmations database", zap.Error(err))
+		return nil, err
+	}
+
+	p.epdispatcher = routers.NewDispatcher(p.logger, p.router, adb, cdb, rtdb, enforcer, config)
 	p.wshandler = ws.NewRouter(p.logger, p.router, &config.WebSocket, p.apiEndpoint)
 	return p, nil
 }

api/server/internal/api/routers/authorized/handler.go

@@ -37,6 +37,9 @@ func (ar *AuthorizedRouter) tokenHandler(service mservice.Type, endpoint string,
 
 func (ar *AuthorizedRouter) AccountHandler(service mservice.Type, endpoint string, method api.HTTPMethod, handler sresponse.AccountHandlerFunc) {
 	hndlr := func(r *http.Request, t *emodel.AccountToken) http.HandlerFunc {
+		if t.Pending {
+			return response.Forbidden(ar.logger, ar.service, "confirmation_required", "pending token requires confirmation")
+		}
 		var a model.Account
 		if err := ar.db.Get(r.Context(), t.AccountRef, &a); err != nil {
 			if errors.Is(err, merrors.ErrNoData) {
@@ -54,3 +57,18 @@ func (ar *AuthorizedRouter) AccountHandler(service mservice.Type, endpoint strin
 	}
 	ar.tokenHandler(service, endpoint, method, hndlr)
 }
+
+func (ar *AuthorizedRouter) PendingAccountHandler(service mservice.Type, endpoint string, method api.HTTPMethod, handler sresponse.PendingAccountHandlerFunc) {
+	hndlr := func(r *http.Request, t *emodel.AccountToken) http.HandlerFunc {
+		var a model.Account
+		if err := ar.db.Get(r.Context(), t.AccountRef, &a); err != nil {
+			if errors.Is(err, merrors.ErrNoData) {
+				ar.logger.Debug("Failed to find related user", zap.Error(err), mzap.ObjRef("account_ref", t.AccountRef))
+				return response.NotFound(ar.logger, ar.service, err.Error())
+			}
+			return response.Internal(ar.logger, ar.service, err)
+		}
+		return handler(r, &a, t)
+	}
+	ar.tokenHandler(service, endpoint, method, hndlr)
+}

api/server/internal/api/routers/dispatcher.go

@@ -8,6 +8,7 @@ import (
 	api "github.com/tech/sendico/pkg/api/http"
 	"github.com/tech/sendico/pkg/auth"
 	"github.com/tech/sendico/pkg/db/account"
+	"github.com/tech/sendico/pkg/db/confirmation"
 	"github.com/tech/sendico/pkg/db/refreshtokens"
 	"github.com/tech/sendico/pkg/mlogger"
 	"github.com/tech/sendico/pkg/mservice"
@@ -31,7 +32,11 @@ func (d *Dispatcher) AccountHandler(service mservice.Type, endpoint string, meth
 	d.protected.AccountHandler(service, endpoint, method, handler)
 }
 
-func NewDispatcher(logger mlogger.Logger, router chi.Router, db account.DB, rtdb refreshtokens.DB, enforcer auth.Enforcer, config *middleware.Config) *Dispatcher {
+func (d *Dispatcher) PendingAccountHandler(service mservice.Type, endpoint string, method api.HTTPMethod, handler sresponse.PendingAccountHandlerFunc) {
+	d.protected.PendingAccountHandler(service, endpoint, method, handler)
+}
+
+func NewDispatcher(logger mlogger.Logger, router chi.Router, db account.DB, cdb confirmation.DB, rtdb refreshtokens.DB, enforcer auth.Enforcer, config *middleware.Config) *Dispatcher {
 	d := &Dispatcher{
 		logger: logger.Named("api_dispatcher"),
 	}
@@ -40,7 +45,7 @@ func NewDispatcher(logger mlogger.Logger, router chi.Router, db account.DB, rtdb
 	endpoint := os.Getenv(config.EndPointEnv)
 	signature := middleware.SignatureConf(config)
 	router.Group(func(r chi.Router) {
-		d.public = rpublic.NewRouter(d.logger, endpoint, db, rtdb, r, &config.Token, &signature)
+		d.public = rpublic.NewRouter(d.logger, endpoint, db, cdb, rtdb, r, &config.Token, &signature)
 	})
 	router.Group(func(r chi.Router) {
 		d.protected = rauthorized.NewRouter(d.logger, endpoint, r, db, enforcer, &config.Token, &signature)

api/server/internal/api/routers/endpoint/token.go

@@ -18,3 +18,13 @@ func (er *HttpEndpointRouter) CreateAccessToken(user *model.Account) (sresponse.
 	}
 	return token, err
 }
+
+func (er *HttpEndpointRouter) CreatePendingToken(user *model.Account, ttlMinutes int) (sresponse.TokenData, error) {
+	ja := jwtauth.New(er.signature.Algorithm, er.signature.PrivateKey, er.signature.PublicKey)
+	_, res, err := ja.Encode(emodel.PendingAccount2Claims(user, ttlMinutes))
+	token := sresponse.TokenData{
+		Token:      res,
+		Expiration: time.Now().Add(time.Duration(ttlMinutes) * time.Minute),
+	}
+	return token, err
+}

api/server/internal/api/routers/public/login.go

@@ -6,14 +6,20 @@ import (
 	"errors"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/tech/sendico/pkg/api/http/response"
 	"github.com/tech/sendico/pkg/merrors"
+	"github.com/tech/sendico/pkg/model"
 	"github.com/tech/sendico/pkg/mservice"
 	"github.com/tech/sendico/server/interface/api/srequest"
+	"github.com/tech/sendico/server/interface/api/sresponse"
+	"github.com/tech/sendico/server/internal/server/confirmationimp"
 	"go.uber.org/zap"
 )
 
+const pendingLoginTTLMinutes = 10
+
 func (pr *PublicRouter) logUserIn(ctx context.Context, r *http.Request, req *srequest.Login) http.HandlerFunc {
 	// Get the account database entry
 	trimmedLogin := strings.TrimSpace(req.Login)
@@ -35,13 +41,23 @@ func (pr *PublicRouter) logUserIn(ctx context.Context, r *http.Request, req *sre
 		return response.Unauthorized(pr.logger, pr.service, "password does not match")
 	}
 
-	accessToken, err := pr.imp.CreateAccessToken(account)
+	pendingToken, err := pr.imp.CreatePendingToken(account, pendingLoginTTLMinutes)
 	if err != nil {
-		pr.logger.Warn("Failed to generate access token", zap.Error(err))
+		pr.logger.Warn("Failed to generate pending token", zap.Error(err))
 		return response.Internal(pr.logger, pr.service, err)
 	}
 
-	return pr.refreshAndRespondLogin(ctx, r, &req.SessionIdentifier, account, &accessToken)
+	cfg := confirmationimp.DefaultConfig()
+	_, rec, err := pr.cstore.Create(ctx, account.ID, account.Login, model.ConfirmationTargetLogin, cfg, pr.generateCode)
+	if err != nil {
+		pr.logger.Warn("Failed to create login confirmation code", zap.Error(err))
+		return response.Internal(pr.logger, pr.service, err)
+	}
+	pr.logger.Info("Login confirmation code issued",
+		zap.String("destination", pr.maskEmail(account.Login)),
+		zap.String("account", account.Login))
+
+	return sresponse.LoginPending(pr.logger, account, &pendingToken, pr.maskEmail(account.Login), int(time.Until(rec.ExpiresAt).Seconds()))
 }
 
 func (a *PublicRouter) login(r *http.Request) http.HandlerFunc {

api/server/internal/api/routers/public/respond.go

@@ -2,59 +2,16 @@ package routers
 
 import (
 	"context"
-	"crypto/rand"
-	"encoding/base64"
-	"io"
 	"net/http"
-	"time"
 
 	"github.com/tech/sendico/pkg/api/http/response"
-	"github.com/tech/sendico/pkg/merrors"
 	"github.com/tech/sendico/pkg/model"
 	"github.com/tech/sendico/pkg/mutil/mzap"
 	"github.com/tech/sendico/server/interface/api/sresponse"
+	rtokens "github.com/tech/sendico/server/internal/api/routers/tokens"
 	"go.uber.org/zap"
 )
 
-func generateRefreshTokenData(length int) (string, error) {
-	randomBytes := make([]byte, length)
-	if _, err := io.ReadFull(rand.Reader, randomBytes); err != nil {
-		return "", merrors.Internal("failed to generate secure random bytes: " + err.Error())
-	}
-
-	return base64.URLEncoding.EncodeToString(randomBytes), nil
-}
-
-func (er *PublicRouter) prepareRefreshToken(ctx context.Context, r *http.Request, session *model.SessionIdentifier, account *model.Account) (*model.RefreshToken, error) {
-	refreshToken, err := generateRefreshTokenData(er.config.Length)
-	if err != nil {
-		er.logger.Warn("Failed to generate refresh token", zap.Error(err), mzap.StorableRef(account))
-		return nil, err
-	}
-
-	token := &model.RefreshToken{
-		AccountBoundBase: model.AccountBoundBase{
-			AccountRef: account.GetID(),
-		},
-		ClientRefreshToken: model.ClientRefreshToken{
-			SessionIdentifier: *session,
-			RefreshToken:      refreshToken,
-		},
-		ExpiresAt: time.Now().Add(time.Duration(er.config.Expiration.Refresh) * time.Hour),
-		IsRevoked: false,
-		UserAgent: r.UserAgent(),
-		IPAddress: r.RemoteAddr,
-	}
-
-	if err = er.rtdb.Create(ctx, token); err != nil {
-		er.logger.Warn("Failed to store a refresh token", zap.Error(err), mzap.StorableRef(account),
-			zap.String("client_id", token.ClientID), zap.String("device_id", token.DeviceID))
-		return nil, err
-	}
-
-	return token, nil
-}
-
 func (pr *PublicRouter) refreshAndRespondLogin(
 	ctx context.Context,
 	r *http.Request,
@@ -62,7 +19,16 @@ func (pr *PublicRouter) refreshAndRespondLogin(
 	account *model.Account,
 	accessToken *sresponse.TokenData,
 ) http.HandlerFunc {
-	refreshToken, err := pr.prepareRefreshToken(ctx, r, session, account)
+	refreshToken, err := rtokens.PrepareRefreshToken(
+		ctx,
+		r,
+		pr.rtdb,
+		pr.config.Length,
+		pr.config.Expiration.Refresh,
+		session,
+		account,
+		pr.logger,
+	)
 	if err != nil {
 		pr.logger.Warn("Failed to create refresh token", zap.Error(err), mzap.StorableRef(account),
 			zap.String("client_id", session.ClientID), zap.String("device_id", session.DeviceID))

api/server/internal/api/routers/public/router.go

@@ -1,20 +1,27 @@
 package routers
 
 import (
+	"crypto/rand"
+	"strings"
+
 	"github.com/go-chi/chi/v5"
 	api "github.com/tech/sendico/pkg/api/http"
 	"github.com/tech/sendico/pkg/db/account"
+	"github.com/tech/sendico/pkg/db/confirmation"
 	"github.com/tech/sendico/pkg/db/refreshtokens"
 	"github.com/tech/sendico/pkg/mlogger"
 	"github.com/tech/sendico/pkg/mservice"
 	"github.com/tech/sendico/server/interface/api/sresponse"
 	"github.com/tech/sendico/server/interface/middleware"
 	re "github.com/tech/sendico/server/internal/api/routers/endpoint"
+	"github.com/tech/sendico/server/internal/server/confirmationimp"
 )
 
 type PublicRouter struct {
 	logger    mlogger.Logger
 	db        account.DB
+	cdb       confirmation.DB
+	cstore    *confirmationimp.ConfirmationStore
 	imp       *re.HttpEndpointRouter
 	rtdb      refreshtokens.DB
 	config    middleware.TokenConfig
@@ -26,11 +33,39 @@ func (pr *PublicRouter) InstallHandler(service mservice.Type, endpoint string, m
 	pr.imp.InstallHandler(service, endpoint, method, handler)
 }
 
-func NewRouter(logger mlogger.Logger, apiEndpoint string, db account.DB, rtdb refreshtokens.DB, router chi.Router, config *middleware.TokenConfig, signature *middleware.Signature) *PublicRouter {
+func (pr *PublicRouter) generateCode() (string, error) {
+	const digits = "0123456789"
+	b := make([]byte, confirmationimp.DefaultConfig().CodeLength)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	for i := range b {
+		b[i] = digits[int(b[i])%len(digits)]
+	}
+	return string(b), nil
+}
+
+func (pr *PublicRouter) maskEmail(email string) string {
+	parts := strings.Split(email, "@")
+	if len(parts) != 2 {
+		return email
+	}
+	local := parts[0]
+	if len(local) > 2 {
+		local = local[:1] + "***" + local[len(local)-1:]
+	} else {
+		local = local[:1] + "***"
+	}
+	return local + "@" + parts[1]
+}
+
+func NewRouter(logger mlogger.Logger, apiEndpoint string, db account.DB, cdb confirmation.DB, rtdb refreshtokens.DB, router chi.Router, config *middleware.TokenConfig, signature *middleware.Signature) *PublicRouter {
 	l := logger.Named("public")
 	hr := PublicRouter{
 		logger:    l,
 		db:        db,
+		cdb:       cdb,
+		cstore:    confirmationimp.NewStore(cdb),
 		rtdb:      rtdb,
 		config:    *config,
 		signature: *signature,

api/server/internal/api/routers/router.go

@@ -12,4 +12,5 @@ type APIRouter interface {
 
 type ProtectedAPIRouter interface {
 	AccountHandler(service mservice.Type, endpoint string, method api.HTTPMethod, handler sresponse.AccountHandlerFunc)
+	PendingAccountHandler(service mservice.Type, endpoint string, method api.HTTPMethod, handler sresponse.PendingAccountHandlerFunc)
 }

api/server/internal/api/routers/tokens/tokens.go

@@ -0,0 +1,65 @@
+package tokens
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"io"
+	"net/http"
+	"time"
+
+	"github.com/tech/sendico/pkg/db/refreshtokens"
+	"github.com/tech/sendico/pkg/merrors"
+	"github.com/tech/sendico/pkg/mlogger"
+	"github.com/tech/sendico/pkg/model"
+	"github.com/tech/sendico/pkg/mutil/mzap"
+	"go.uber.org/zap"
+)
+
+func generateRefreshTokenData(length int) (string, error) {
+	randomBytes := make([]byte, length)
+	if _, err := io.ReadFull(rand.Reader, randomBytes); err != nil {
+		return "", merrors.Internal("failed to generate secure random bytes: " + err.Error())
+	}
+
+	return base64.URLEncoding.EncodeToString(randomBytes), nil
+}
+
+func PrepareRefreshToken(
+	ctx context.Context,
+	r *http.Request,
+	rtdb refreshtokens.DB,
+	length int,
+	refreshExpiration int,
+	session *model.SessionIdentifier,
+	account *model.Account,
+	logger mlogger.Logger,
+) (*model.RefreshToken, error) {
+	refreshToken, err := generateRefreshTokenData(length)
+	if err != nil {
+		logger.Warn("Failed to generate refresh token", zap.Error(err), mzap.StorableRef(account))
+		return nil, err
+	}
+
+	token := &model.RefreshToken{
+		AccountBoundBase: model.AccountBoundBase{
+			AccountRef: account.GetID(),
+		},
+		ClientRefreshToken: model.ClientRefreshToken{
+			SessionIdentifier: *session,
+			RefreshToken:      refreshToken,
+		},
+		ExpiresAt: time.Now().Add(time.Duration(refreshExpiration) * time.Hour),
+		IsRevoked: false,
+		UserAgent: r.UserAgent(),
+		IPAddress: r.RemoteAddr,
+	}
+
+	if err = rtdb.Create(ctx, token); err != nil {
+		logger.Warn("Failed to store a refresh token", zap.Error(err), mzap.StorableRef(account),
+			zap.String("client_id", token.ClientID), zap.String("device_id", token.DeviceID))
+		return nil, err
+	}
+
+	return token, nil
+}

api/server/internal/server/confirmationimp/request.go

@@ -0,0 +1,48 @@
+package confirmationimp
+
+import (
+	"encoding/json"
+	"net/http"
+	"time"
+
+	"github.com/tech/sendico/pkg/api/http/response"
+	"github.com/tech/sendico/pkg/model"
+	"github.com/tech/sendico/pkg/mutil/mzap"
+	emodel "github.com/tech/sendico/server/interface/model"
+	"go.uber.org/zap"
+)
+
+func (a *ConfirmationAPI) requestCode(r *http.Request, account *model.Account, token *emodel.AccountToken) http.HandlerFunc {
+	var req confirmationRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		a.logger.Warn("Failed to decode confirmation request", zap.Error(err))
+		return response.BadPayload(a.logger, a.Name(), err)
+	}
+
+	target, err := a.parseTarget(req.Target)
+	if err != nil {
+		return response.BadRequest(a.logger, a.Name(), "invalid_target", err.Error())
+	}
+
+	if target == model.ConfirmationTargetLogin && (token == nil || !token.Pending) {
+		return response.Forbidden(a.logger, a.Name(), "pending_token_required", "login confirmation requires pending token")
+	}
+
+	destination := a.resolveDestination(req.Destination, account)
+	if destination == "" {
+		return response.BadRequest(a.logger, a.Name(), "missing_destination", "email destination is required")
+	}
+	code, rec, err := a.store.Create(r.Context(), account.ID, destination, target, a.config, a.generateCode)
+	if err != nil {
+		a.logger.Warn("Failed to create confirmation code", zap.Error(err), mzap.ObjRef("account_ref", account.ID))
+		return response.Internal(a.logger, a.Name(), err)
+	}
+
+	a.sendCode(account, target, destination, code)
+
+	return response.Accepted(a.logger, confirmationResponse{
+		TTLSeconds:      int(time.Until(rec.ExpiresAt).Seconds()),
+		CooldownSeconds: int(a.config.Cooldown.Seconds()),
+		Destination:     maskEmail(destination),
+	})
+}

api/server/internal/server/confirmationimp/resend.go

@@ -0,0 +1,56 @@
+package confirmationimp
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+	"time"
+
+	"github.com/tech/sendico/pkg/api/http/response"
+	"github.com/tech/sendico/pkg/model"
+	"github.com/tech/sendico/pkg/mutil/mzap"
+	emodel "github.com/tech/sendico/server/interface/model"
+	"go.uber.org/zap"
+)
+
+func (a *ConfirmationAPI) resendCode(r *http.Request, account *model.Account, token *emodel.AccountToken) http.HandlerFunc {
+	var req confirmationRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		a.logger.Warn("Failed to decode confirmation resend request", zap.Error(err))
+		return response.BadPayload(a.logger, a.Name(), err)
+	}
+
+	target, err := a.parseTarget(req.Target)
+	if err != nil {
+		return response.BadRequest(a.logger, a.Name(), "invalid_target", err.Error())
+	}
+
+	if target == model.ConfirmationTargetLogin && (token == nil || !token.Pending) {
+		return response.Forbidden(a.logger, a.Name(), "pending_token_required", "login confirmation requires pending token")
+	}
+
+	destination := a.resolveDestination(req.Destination, account)
+	if destination == "" {
+		return response.BadRequest(a.logger, a.Name(), "missing_destination", "email destination is required")
+	}
+	code, rec, err := a.store.Resend(r.Context(), account.ID, destination, target, a.config, a.generateCode)
+	switch {
+	case errors.Is(err, errConfirmationNotFound):
+		return response.NotFound(a.logger, a.Name(), "no_active_code_for_resend")
+	case errors.Is(err, errConfirmationCooldown):
+		return response.Forbidden(a.logger, a.Name(), "cooldown_active", "please wait before requesting another code")
+	case errors.Is(err, errConfirmationResendLimit):
+		return response.Forbidden(a.logger, a.Name(), "resend_limit_reached", "too many resend attempts")
+	case err != nil:
+		a.logger.Warn("Failed to resend confirmation code", zap.Error(err), mzap.ObjRef("account_ref", account.ID))
+		return response.Internal(a.logger, a.Name(), err)
+	}
+
+	a.sendCode(account, target, destination, code)
+
+	return response.Accepted(a.logger, confirmationResponse{
+		TTLSeconds:      int(time.Until(rec.ExpiresAt).Seconds()),
+		CooldownSeconds: int(a.config.Cooldown.Seconds()),
+		Destination:     maskEmail(destination),
+	})
+}

api/server/internal/server/confirmationimp/service.go

@@ -0,0 +1,158 @@
+package confirmationimp
+
+import (
+	"context"
+	"crypto/rand"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/go-chi/jwtauth/v5"
+	api "github.com/tech/sendico/pkg/api/http"
+	"github.com/tech/sendico/pkg/db/refreshtokens"
+	"github.com/tech/sendico/pkg/merrors"
+	"github.com/tech/sendico/pkg/messaging"
+	cnotifications "github.com/tech/sendico/pkg/messaging/notifications/confirmation"
+	"github.com/tech/sendico/pkg/mlogger"
+	"github.com/tech/sendico/pkg/model"
+	"github.com/tech/sendico/pkg/mservice"
+	"github.com/tech/sendico/pkg/mutil/mzap"
+	eapi "github.com/tech/sendico/server/interface/api"
+	"github.com/tech/sendico/server/interface/api/sresponse"
+	"github.com/tech/sendico/server/interface/middleware"
+	emodel "github.com/tech/sendico/server/interface/model"
+	"go.uber.org/zap"
+)
+
+type Config struct {
+	CodeLength  int
+	TTL         time.Duration
+	MaxAttempts int
+	Cooldown    time.Duration
+	ResendLimit int
+}
+
+func defaultConfig() Config {
+	return Config{
+		CodeLength:  6,
+		TTL:         10 * time.Minute,
+		MaxAttempts: 5,
+		Cooldown:    time.Minute,
+		ResendLimit: 5,
+	}
+}
+
+func DefaultConfig() Config {
+	return defaultConfig()
+}
+
+type ConfirmationAPI struct {
+	logger      mlogger.Logger
+	config      Config
+	store       *ConfirmationStore
+	rtdb        refreshtokens.DB
+	producer    messaging.Producer
+	tokenConfig middleware.TokenConfig
+	signature   middleware.Signature
+}
+
+func (a *ConfirmationAPI) Name() mservice.Type {
+	return mservice.Confirmations
+}
+
+func (a *ConfirmationAPI) Finish(_ context.Context) error {
+	return nil
+}
+
+func CreateAPI(a eapi.API) (*ConfirmationAPI, error) {
+	cdb, err := a.DBFactory().NewConfirmationsDB()
+	if err != nil {
+		return nil, err
+	}
+	rtdb, err := a.DBFactory().NewRefreshTokensDB()
+	if err != nil {
+		return nil, err
+	}
+
+	p := &ConfirmationAPI{
+		logger:      a.Logger().Named(mservice.Confirmations),
+		config:      defaultConfig(),
+		store:       NewStore(cdb),
+		rtdb:        rtdb,
+		producer:    a.Register().Messaging().Producer(),
+		tokenConfig: a.Config().Mw.Token,
+		signature:   middleware.SignatureConf(a.Config().Mw),
+	}
+
+	a.Register().PendingAccountHandler(p.Name(), "/confirmations", api.Post, p.requestCode)
+	a.Register().PendingAccountHandler(p.Name(), "/confirmations/resend", api.Post, p.resendCode)
+	a.Register().PendingAccountHandler(p.Name(), "/confirmations/verify", api.Post, p.verifyCode)
+	return p, nil
+}
+
+func (a *ConfirmationAPI) generateCode() (string, error) {
+	const digits = "0123456789"
+	b := make([]byte, a.config.CodeLength)
+	_, err := rand.Read(b)
+	if err != nil {
+		return "", err
+	}
+	for i := range b {
+		b[i] = digits[int(b[i])%len(digits)]
+	}
+	return string(b), nil
+}
+
+func (a *ConfirmationAPI) parseTarget(raw string) (model.ConfirmationTarget, error) {
+	switch strings.ToLower(strings.TrimSpace(raw)) {
+	case string(model.ConfirmationTargetLogin):
+		return model.ConfirmationTargetLogin, nil
+	case string(model.ConfirmationTargetPayout):
+		return model.ConfirmationTargetPayout, nil
+	default:
+		return "", merrors.InvalidArgument(fmt.Sprintf("unsupported target '%s'", raw), "target")
+	}
+}
+
+func (a *ConfirmationAPI) resolveDestination(reqDest string, account *model.Account) string {
+	destination := strings.ToLower(strings.TrimSpace(reqDest))
+	if destination == "" && account != nil {
+		destination = strings.ToLower(strings.TrimSpace(account.Login))
+	}
+	return destination
+}
+
+func (a *ConfirmationAPI) sendCode(account *model.Account, target model.ConfirmationTarget, destination, code string) {
+	a.logger.Info("Confirmation code generated",
+		zap.String("target", string(target)),
+		zap.String("destination", maskEmail(destination)),
+		mzap.ObjRef("account_ref", account.ID))
+	if err := a.producer.SendMessage(cnotifications.Code(a.Name(), account.ID, destination, target, code)); err != nil {
+		a.logger.Warn("Failed to send confirmation code notification", zap.Error(err), mzap.ObjRef("account_ref", account.ID))
+	}
+	a.logger.Debug("Confirmation code debug dump (do not log in production)", zap.String("code", code))
+}
+
+func maskEmail(email string) string {
+	parts := strings.Split(email, "@")
+	if len(parts) != 2 {
+		return email
+	}
+	local := parts[0]
+	if len(local) > 2 {
+		local = local[:1] + "***" + local[len(local)-1:]
+	} else {
+		local = local[:1] + "***"
+	}
+	return local + "@" + parts[1]
+}
+
+func (a *ConfirmationAPI) createAccessToken(account *model.Account) (sresponse.TokenData, error) {
+	ja := jwtauth.New(a.signature.Algorithm, a.signature.PrivateKey, a.signature.PublicKey)
+	_, res, err := ja.Encode(emodel.Account2Claims(account, a.tokenConfig.Expiration.Account))
+	token := sresponse.TokenData{
+		Token:      res,
+		Expiration: time.Now().Add(time.Duration(a.tokenConfig.Expiration.Account) * time.Hour),
+	}
+	return token, err
+}

api/server/internal/server/confirmationimp/store.go

@@ -0,0 +1,181 @@
+package confirmationimp
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/subtle"
+	"errors"
+	"time"
+
+	"github.com/tech/sendico/pkg/db/confirmation"
+	"github.com/tech/sendico/pkg/merrors"
+	"github.com/tech/sendico/pkg/model"
+	"go.mongodb.org/mongo-driver/bson/primitive"
+)
+
+var (
+	errConfirmationNotFound         = errors.New("confirmation not found or expired")
+	errConfirmationUsed             = errors.New("confirmation already used")
+	errConfirmationMismatch         = errors.New("confirmation code mismatch")
+	errConfirmationAttemptsExceeded = errors.New("confirmation attempts exceeded")
+	errConfirmationCooldown         = errors.New("confirmation cooldown active")
+	errConfirmationResendLimit      = errors.New("confirmation resend limit reached")
+)
+
+type ConfirmationStore struct {
+	db confirmation.DB
+}
+
+func NewStore(db confirmation.DB) *ConfirmationStore {
+	return &ConfirmationStore{db: db}
+}
+
+func (s *ConfirmationStore) Create(
+	ctx context.Context,
+	accountRef primitive.ObjectID,
+	destination string,
+	target model.ConfirmationTarget,
+	cfg Config,
+	generator func() (string, error),
+) (string, *model.ConfirmationCode, error) {
+	if err := s.db.DeleteTuple(ctx, accountRef, destination, target); err != nil && !errors.Is(err, merrors.ErrNoData) {
+		return "", nil, err
+	}
+
+	code, _, rec, err := s.buildRecord(accountRef, destination, target, cfg, generator)
+	if err != nil {
+		return "", nil, err
+	}
+
+	if err := s.db.Create(ctx, rec); err != nil {
+		return "", nil, err
+	}
+
+	return code, rec, nil
+}
+
+func (s *ConfirmationStore) Resend(
+	ctx context.Context,
+	accountRef primitive.ObjectID,
+	destination string,
+	target model.ConfirmationTarget,
+	cfg Config,
+	generator func() (string, error),
+) (string, *model.ConfirmationCode, error) {
+	now := time.Now().UTC()
+	active, err := s.db.FindActive(ctx, accountRef, destination, target, now.Unix())
+	if errors.Is(err, merrors.ErrNoData) {
+		return s.Create(ctx, accountRef, destination, target, cfg, generator)
+	}
+	if err != nil {
+		return "", nil, err
+	}
+	if active.ResendCount >= active.ResendLimit {
+		return "", nil, errConfirmationResendLimit
+	}
+	if now.Before(active.CooldownUntil) {
+		return "", nil, errConfirmationCooldown
+	}
+
+	code, salt, updated, err := s.buildRecord(accountRef, destination, target, cfg, generator)
+	if err != nil {
+		return "", nil, err
+	}
+	// Preserve attempt counters but bump resend count.
+	updated.ID = active.ID
+	updated.CreatedAt = active.CreatedAt
+	updated.Attempts = active.Attempts
+	updated.ResendCount = active.ResendCount + 1
+	updated.Salt = salt
+
+	if err := s.db.Update(ctx, updated); err != nil {
+		return "", nil, err
+	}
+	return code, updated, nil
+}
+
+func (s *ConfirmationStore) Verify(
+	ctx context.Context,
+	accountRef primitive.ObjectID,
+	destination string,
+	target model.ConfirmationTarget,
+	code string,
+) error {
+	now := time.Now().UTC()
+	rec, err := s.db.FindActive(ctx, accountRef, destination, target, now.Unix())
+	if errors.Is(err, merrors.ErrNoData) {
+		return errConfirmationNotFound
+	}
+	if err != nil {
+		return err
+	}
+	if rec.Used {
+		return errConfirmationUsed
+	}
+
+	rec.Attempts++
+	if rec.Attempts > rec.MaxAttempts {
+		rec.Used = true
+		_ = s.db.Update(ctx, rec)
+		return errConfirmationAttemptsExceeded
+	}
+
+	if subtle.ConstantTimeCompare(rec.CodeHash, hashCode(rec.Salt, code)) != 1 {
+		_ = s.db.Update(ctx, rec)
+		return errConfirmationMismatch
+	}
+
+	rec.Used = true
+	return s.db.Update(ctx, rec)
+}
+
+func (s *ConfirmationStore) buildRecord(
+	accountRef primitive.ObjectID,
+	destination string,
+	target model.ConfirmationTarget,
+	cfg Config,
+	generator func() (string, error),
+) (string, []byte, *model.ConfirmationCode, error) {
+	code, err := generator()
+	if err != nil {
+		return "", nil, nil, err
+	}
+	salt, err := newSalt()
+	if err != nil {
+		return "", nil, nil, err
+	}
+
+	now := time.Now().UTC()
+	rec := model.NewConfirmationCode(accountRef)
+	rec.Destination = destination
+	rec.Target = target
+	rec.CodeHash = hashCode(salt, code)
+	rec.Salt = salt
+	rec.ExpiresAt = now.Add(cfg.TTL)
+	rec.MaxAttempts = cfg.MaxAttempts
+	rec.ResendLimit = cfg.ResendLimit
+	rec.CooldownUntil = now.Add(cfg.Cooldown)
+	rec.Used = false
+	rec.Attempts = 0
+	rec.ResendCount = 0
+	rec.CreatedAt = now
+	rec.UpdatedAt = now
+
+	return code, salt, rec, nil
+}
+
+func hashCode(salt []byte, code string) []byte {
+	h := sha256.New()
+	h.Write(salt)
+	h.Write([]byte(code))
+	return h.Sum(nil)
+}
+
+func newSalt() ([]byte, error) {
+	buf := make([]byte, 16)
+	if _, err := rand.Read(buf); err != nil {
+		return nil, err
+	}
+	return buf, nil
+}

api/server/internal/server/confirmationimp/types.go

@@ -0,0 +1,23 @@
+package confirmationimp
+
+import (
+	"github.com/tech/sendico/pkg/model"
+)
+
+type confirmationRequest struct {
+	Target      string `json:"target"`
+	Destination string `json:"destination,omitempty"`
+}
+
+type confirmationVerifyRequest struct {
+	Target            string                  `json:"target"`
+	Code              string                  `json:"code"`
+	Destination       string                  `json:"destination,omitempty"`
+	SessionIdentifier model.SessionIdentifier `json:"sessionIdentifier"`
+}
+
+type confirmationResponse struct {
+	TTLSeconds      int    `json:"ttl_seconds"`
+	CooldownSeconds int    `json:"cooldown_seconds"`
+	Destination     string `json:"destination"`
+}

api/server/internal/server/confirmationimp/verify.go

@@ -0,0 +1,88 @@
+package confirmationimp
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+	"strings"
+
+	"github.com/tech/sendico/pkg/api/http/response"
+	"github.com/tech/sendico/pkg/model"
+	"github.com/tech/sendico/pkg/mutil/mzap"
+	"github.com/tech/sendico/server/interface/api/sresponse"
+	emodel "github.com/tech/sendico/server/interface/model"
+	rtokens "github.com/tech/sendico/server/internal/api/routers/tokens"
+	"go.uber.org/zap"
+)
+
+func (a *ConfirmationAPI) verifyCode(r *http.Request, account *model.Account, token *emodel.AccountToken) http.HandlerFunc {
+	var req confirmationVerifyRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		a.logger.Warn("Failed to decode confirmation verification request", zap.Error(err))
+		return response.BadPayload(a.logger, a.Name(), err)
+	}
+
+	target, err := a.parseTarget(req.Target)
+	if err != nil {
+		return response.BadRequest(a.logger, a.Name(), "invalid_target", err.Error())
+	}
+
+	if target == model.ConfirmationTargetLogin && (token == nil || !token.Pending) {
+		return response.Forbidden(a.logger, a.Name(), "pending_token_required", "login confirmation requires pending token")
+	}
+
+	if strings.TrimSpace(req.Code) == "" {
+		return response.BadRequest(a.logger, a.Name(), "missing_code", "confirmation code is required")
+	}
+
+	destination := a.resolveDestination(req.Destination, account)
+	if destination == "" {
+		return response.BadRequest(a.logger, a.Name(), "missing_destination", "email destination is required")
+	}
+	err = a.store.Verify(r.Context(), account.ID, destination, target, strings.TrimSpace(req.Code))
+	switch {
+	case errors.Is(err, errConfirmationNotFound):
+		return response.NotFound(a.logger, a.Name(), "code_not_found_or_expired")
+	case errors.Is(err, errConfirmationUsed):
+		return response.Forbidden(a.logger, a.Name(), "code_used", "code has already been used")
+	case errors.Is(err, errConfirmationAttemptsExceeded):
+		return response.Forbidden(a.logger, a.Name(), "attempt_limit_reached", "too many failed attempts")
+	case errors.Is(err, errConfirmationMismatch):
+		return response.Forbidden(a.logger, a.Name(), "invalid_code", "code does not match")
+	case err != nil:
+		a.logger.Warn("Failed to verify confirmation code", zap.Error(err), mzap.ObjRef("account_ref", account.ID))
+		return response.Internal(a.logger, a.Name(), err)
+	}
+
+	a.logger.Info("Confirmation code verified", zap.String("target", string(target)), mzap.ObjRef("account_ref", account.ID))
+	if target == model.ConfirmationTargetLogin {
+		if req.SessionIdentifier.ClientID == "" || req.SessionIdentifier.DeviceID == "" {
+			return response.BadRequest(a.logger, a.Name(), "missing_session", "session identifier is required")
+		}
+		accessToken, err := a.createAccessToken(account)
+		if err != nil {
+			a.logger.Warn("Failed to generate access token", zap.Error(err))
+			return response.Internal(a.logger, a.Name(), err)
+		}
+		refreshToken, err := rtokens.PrepareRefreshToken(
+			r.Context(),
+			r,
+			a.rtdb,
+			a.tokenConfig.Length,
+			a.tokenConfig.Expiration.Refresh,
+			&req.SessionIdentifier,
+			account,
+			a.logger,
+		)
+		if err != nil {
+			a.logger.Warn("Failed to generate refresh token", zap.Error(err))
+			return response.Internal(a.logger, a.Name(), err)
+		}
+		rt := sresponse.TokenData{
+			Token:      refreshToken.RefreshToken,
+			Expiration: refreshToken.ExpiresAt,
+		}
+		return sresponse.Login(a.logger, account, &accessToken, &rt)
+	}
+	return response.Success(a.logger)
+}