Hum Rahi

Role: Back-End User Story Story: As a System, I want to validate the 6-digit code against the stored value and initiate a session, so that I can confirm the user's identity and grant access.

• In-Scope: * POST Endpoint /api/v1/auth/verify-otp.
  • Logic to compare submitted OTP with cached value.
  • Generation of JWT/Session token upon success.
• Out-of-Scope: Handling lockout logic (covered in HR-BE-02).
• Acceptance Criteria (AC):
  • AC1: Return 200 OK + Auth Token if OTP matches.
  • AC2: Return 401 Unauthorized if OTP is incorrect or expired.
  • AC3: Invalidate the OTP immediately after one successful use.
• Validation Rules: Request must contain mobile_number and a string of 6 digits.
• Error Messages: * Incorrect: "The code you entered is incorrect."
  • Expired: "This OTP has expired. Please request a new one."
• Definition of Done (DoD): API documented in Swagger; Unit tests cover Match/Mismatch/Expiry; Security review of token signature.