59 lines
1.8 KiB
JavaScript
59 lines
1.8 KiB
JavaScript
import { verifyTOTP } from "../utils/totp";
|
|
import { isRateLimited } from "../utils/rate-limiter.js";
|
|
import { normalizeAndValidatePhoneNumber } from "../utils/phone-validator.js";
|
|
|
|
export default defineEventHandler(async (event) => {
|
|
const config = useRuntimeConfig();
|
|
const { phoneNumber: rawPhoneNumber, code } = await readBody(event);
|
|
let normalizedPhoneNumber;
|
|
|
|
try {
|
|
normalizedPhoneNumber = normalizeAndValidatePhoneNumber(rawPhoneNumber);
|
|
} catch (error) {
|
|
// The validator throws an error with a user-friendly message.
|
|
throw createError({ statusCode: 400, statusMessage: error.message });
|
|
}
|
|
|
|
if (!code) {
|
|
throw createError({
|
|
statusCode: 400,
|
|
statusMessage: "Verification code is required.",
|
|
});
|
|
}
|
|
|
|
// Prevent abuse by checking rate limit before doing anything
|
|
if (isRateLimited(normalizedPhoneNumber)) {
|
|
throw createError({
|
|
statusCode: 429,
|
|
statusMessage:
|
|
"You have already sent a message within the last week. Please try again later.",
|
|
});
|
|
}
|
|
|
|
// Check for necessary server configuration.
|
|
if (!config.superSecretSalt) {
|
|
console.error("SUPER_SECRET_SALT is not configured on the server.");
|
|
// This is an internal server error, so we don't expose details to the client.
|
|
throw createError({
|
|
statusCode: 500,
|
|
statusMessage: "A server configuration error occurred.",
|
|
});
|
|
}
|
|
|
|
const isValid = verifyTOTP(
|
|
normalizedPhoneNumber,
|
|
config.superSecretSalt,
|
|
code,
|
|
);
|
|
|
|
if (isValid) {
|
|
// In a stateful app, one might set a session cookie here.
|
|
return { success: true };
|
|
} else {
|
|
// The code is incorrect or has expired.
|
|
throw createError({
|
|
statusCode: 401, // Unauthorized
|
|
statusMessage: "Invalid or expired verification code.",
|
|
});
|
|
}
|
|
});
|