sendico/api/server/internal/server/confirmationimp/verify.go

package confirmationimp

import (
	"encoding/json"
	"errors"
	"net/http"
	"strings"

	"github.com/tech/sendico/pkg/api/http/response"
	"github.com/tech/sendico/pkg/model"
	"github.com/tech/sendico/pkg/mutil/mzap"
	"github.com/tech/sendico/server/interface/api/sresponse"
	emodel "github.com/tech/sendico/server/interface/model"
	rtokens "github.com/tech/sendico/server/internal/api/routers/tokens"
	"go.uber.org/zap"
)

func (a *ConfirmationAPI) verifyCode(r *http.Request, account *model.Account, token *emodel.AccountToken) http.HandlerFunc {
	var req confirmationVerifyRequest
	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
		a.logger.Warn("Failed to decode confirmation verification request", zap.Error(err))
		return response.BadPayload(a.logger, a.Name(), err)
	}

	target, err := a.parseTarget(req.Target)
	if err != nil {
		return response.BadRequest(a.logger, a.Name(), "invalid_target", err.Error())
	}

	if target == model.ConfirmationTargetLogin && (token == nil || !token.Pending) {
		return response.Forbidden(a.logger, a.Name(), "pending_token_required", "login confirmation requires pending token")
	}

	if strings.TrimSpace(req.Code) == "" {
		return response.BadRequest(a.logger, a.Name(), "missing_code", "confirmation code is required")
	}

	destination := a.resolveDestination(req.Destination, account)
	if destination == "" {
		return response.BadRequest(a.logger, a.Name(), "missing_destination", "email destination is required")
	}
	err = a.store.Verify(r.Context(), account.ID, destination, target, strings.TrimSpace(req.Code))
	switch {
	case errors.Is(err, errConfirmationNotFound):
		return response.NotFound(a.logger, a.Name(), "code_not_found_or_expired")
	case errors.Is(err, errConfirmationUsed):
		return response.Forbidden(a.logger, a.Name(), "code_used", "code has already been used")
	case errors.Is(err, errConfirmationAttemptsExceeded):
		return response.Forbidden(a.logger, a.Name(), "attempt_limit_reached", "too many failed attempts")
	case errors.Is(err, errConfirmationMismatch):
		return response.Forbidden(a.logger, a.Name(), "invalid_code", "code does not match")
	case err != nil:
		a.logger.Warn("Failed to verify confirmation code", zap.Error(err), mzap.ObjRef("account_ref", account.ID))
		return response.Internal(a.logger, a.Name(), err)
	}

	a.logger.Info("Confirmation code verified", zap.String("target", string(target)), mzap.ObjRef("account_ref", account.ID))
	if target == model.ConfirmationTargetLogin {
		if req.SessionIdentifier.ClientID == "" || req.SessionIdentifier.DeviceID == "" {
			return response.BadRequest(a.logger, a.Name(), "missing_session", "session identifier is required")
		}
		accessToken, err := a.createAccessToken(account)
		if err != nil {
			a.logger.Warn("Failed to generate access token", zap.Error(err))
			return response.Internal(a.logger, a.Name(), err)
		}
		refreshToken, err := rtokens.PrepareRefreshToken(
			r.Context(),
			r,
			a.rtdb,
			a.tokenConfig.Length,
			a.tokenConfig.Expiration.Refresh,
			&req.SessionIdentifier,
			account,
			a.logger,
		)
		if err != nil {
			a.logger.Warn("Failed to generate refresh token", zap.Error(err))
			return response.Internal(a.logger, a.Name(), err)
		}
		rt := sresponse.TokenData{
			Token:      refreshToken.RefreshToken,
			Expiration: refreshToken.ExpiresAt,
		}
		return sresponse.Login(a.logger, account, &accessToken, &rt)
	}
	return response.Success(a.logger)
}