Hum Rahi

As a System, I want to receive a mobile number, generate a secure OTP, and trigger a WhatsApp message, so that the user's identity can be verified.

• In-Scope:
  • RESTful API endpoint (/api/v1/auth/request-otp).
  • OTP generation logic (6-digit numeric).
  • Integration with a WhatsApp Service Provider (e.g., Twilio, Meta Graph API).
  • Rate limiting per mobile number.
• Out-of-Scope:
  • Verification of the OTP (handled in the next story/page).
  • User profile creation (handled after successful verification).
• Acceptance Criteria (AC):
  • AC1: Endpoint accepts mobile_number and remember_me boolean.
  • AC2: Generate a unique 6-digit OTP and store it in the cache (e.g., Redis) with a 5-minute expiry.
  • AC3: Send the OTP via the configured WhatsApp API.
  • AC4: Return a 200 OK status upon successful handoff to the provider.
• Validation Rules:
  • Rate Limit: Maximum 3 OTP requests per 10 minutes per IP/Number.
  • Data Integrity: Ensure the number is stripped of whitespace before processing.
• Error Messages:
  • Too many requests: "Too many attempts. Please try again in 10 minutes."
  • Provider Down: "Unable to send OTP at this moment. Please try again later."
• Definition of Done (DoD):
  • API endpoint documented in Swagger/OpenAPI.
  • OTP successfully received on a test device via WhatsApp.
  • Code reviewed and merged to the develop branch.
  • Integration tests for the WhatsApp provider passed.