feat: add contact form with SMS OTP verification

server/api/verify-otp.post.js

@@ -0,0 +1,59 @@
+import { verifyTOTP } from "../utils/totp";
+import { isRateLimited } from "../utils/rate-limiter.js";
+import { normalizeAndValidatePhoneNumber } from "../utils/phone-validator.js";
+
+export default defineEventHandler(async (event) => {
+  const config = useRuntimeConfig();
+  const { phoneNumber: rawPhoneNumber, code } = await readBody(event);
+  let normalizedPhoneNumber;
+
+  try {
+    normalizedPhoneNumber = normalizeAndValidatePhoneNumber(rawPhoneNumber);
+  } catch (error) {
+    // The validator throws an error with a user-friendly message.
+    throw createError({ statusCode: 400, statusMessage: error.message });
+  }
+
+  if (!code) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Verification code is required.",
+    });
+  }
+
+  // Prevent abuse by checking rate limit before doing anything
+  if (isRateLimited(normalizedPhoneNumber)) {
+    throw createError({
+      statusCode: 429,
+      statusMessage:
+        "You have already sent a message within the last week. Please try again later.",
+    });
+  }
+
+  // Check for necessary server configuration.
+  if (!config.superSecretSalt) {
+    console.error("SUPER_SECRET_SALT is not configured on the server.");
+    // This is an internal server error, so we don't expose details to the client.
+    throw createError({
+      statusCode: 500,
+      statusMessage: "A server configuration error occurred.",
+    });
+  }
+
+  const isValid = verifyTOTP(
+    normalizedPhoneNumber,
+    config.superSecretSalt,
+    code,
+  );
+
+  if (isValid) {
+    // In a stateful app, one might set a session cookie here.
+    return { success: true };
+  } else {
+    // The code is incorrect or has expired.
+    throw createError({
+      statusCode: 401, // Unauthorized
+      statusMessage: "Invalid or expired verification code.",
+    });
+  }
+});