API — Authentification
Flow d'Authentification
1. POST /auth/otp/request (MSISDN) → OTP envoyé par SMS
2. POST /auth/otp/verify (OTP) → session_token JWT
3. GET /auth/session → valider le tokenEndpoints
POST /api/v1/auth/otp/request
Demander un OTP par SMS.
bash
curl -X POST https://api-rgz.duckdns.org/api/v1/auth/otp/request \
-H "Content-Type: application/json" \
-d '{"msisdn": "+22900000000"}'Body:
json
{"msisdn": "+22900000000"}Réponse 200:
json
{"otp_token": "550e8400-e29b-41d4-a716-446655440000"}Erreurs:
| Code | Description |
|---|---|
ERR_RATE_LIMITED | Trop de demandes (3/min) |
ERR_MSISDN_INVALID | Format MSISDN invalide |
POST /api/v1/auth/otp/verify
Vérifier l'OTP et créer une session.
bash
curl -X POST https://api-rgz.duckdns.org/api/v1/auth/otp/verify \
-H "Content-Type: application/json" \
-d '{"msisdn": "+22900000000", "otp": "123456"}'Body:
json
{"msisdn": "+22900000000", "otp": "123456"}Réponse 200:
json
{
"session_token": "eyJhbGci...",
"subscriber_ref": "RGZ-0022900000000",
"expires_in": 900
}Erreurs:
| Code | Description |
|---|---|
ERR_OTP_INVALID | OTP incorrect ou expiré |
ERR_OTP_EXPIRED | OTP expiré (TTL 5min) |
GET /api/v1/auth/session
Valider le token actif.
bash
curl -H "Authorization: Bearer $JWT" \
https://api-rgz.duckdns.org/api/v1/auth/sessionRéponse 200:
json
{
"valid": true,
"subscriber_ref": "RGZ-0022900000000",
"expires_at": "2026-02-21T15:30:00Z"
}Notes de Sécurité
- OTP valide 5 minutes (Redis TTL=300s)
- OTP lié au
subscriber_idUUID (pas au numéro de téléphone) - Comparaison via
hmac.compare_digest()(protection timing attack) - Rate limit : 3 demandes OTP par minute par MSISDN
Dernière mise à jour: 2026-02-21