template-monorepo/internal/model/auth/usecase/login_mfa_challenge_usecase.go

package usecase

import (
	"context"
	"errors"
	"time"

	authdomain "gateway/internal/model/auth/domain"
	domrepo "gateway/internal/model/auth/domain/repository"
	domusecase "gateway/internal/model/auth/domain/usecase"

	"github.com/google/uuid"
)

type loginMFAChallengeUseCase struct {
	store domrepo.LoginMFAChallengeStore
}

// LoginMFAChallengeUseCaseParam wires LoginMFAChallengeUseCase.
type LoginMFAChallengeUseCaseParam struct {
	Store domrepo.LoginMFAChallengeStore
}

// MustLoginMFAChallengeUseCase constructs LoginMFAChallengeUseCase.
func MustLoginMFAChallengeUseCase(param LoginMFAChallengeUseCaseParam) domusecase.LoginMFAChallengeUseCase {
	if param.Store == nil {
		panic("auth: login mfa challenge store is required")
	}
	return &loginMFAChallengeUseCase{store: param.Store}
}

func (uc *loginMFAChallengeUseCase) Create(ctx context.Context, req *domusecase.CreateLoginMFAChallengeRequest) (*domusecase.LoginMFAChallengeView, error) {
	if req == nil || req.TenantID == "" || req.TenantSlug == "" || req.UID == "" {
		return nil, errb.InputMissingRequired("tenant_id, tenant_slug and uid are required")
	}
	ttl := req.TTL
	if ttl <= 0 {
		ttl = 5 * time.Minute
	}
	challengeID := uuid.NewString()
	challenge := &domrepo.LoginMFAChallenge{
		ChallengeID: challengeID,
		TenantID:    req.TenantID,
		TenantSlug:  req.TenantSlug,
		UID:         req.UID,
	}
	if err := uc.store.Save(ctx, challenge, ttl); err != nil {
		return nil, wrapRepoErr(err, "save login mfa challenge failed")
	}
	return &domusecase.LoginMFAChallengeView{
		ChallengeID: challengeID,
		ExpiresIn:   int(ttl.Seconds()),
	}, nil
}

func (uc *loginMFAChallengeUseCase) Get(ctx context.Context, challengeID string) (*domusecase.CreateLoginMFAChallengeRequest, error) {
	if challengeID == "" {
		return nil, errb.InputMissingRequired("challenge_id is required")
	}
	challenge, err := uc.store.Get(ctx, challengeID)
	if err != nil {
		if errors.Is(err, authdomain.ErrLoginMFAChallengeNotFound) {
			return nil, errb.ResNotFound("login mfa challenge", challengeID).WithCause(err)
		}
		return nil, wrapRepoErr(err, "read login mfa challenge failed")
	}
	return &domusecase.CreateLoginMFAChallengeRequest{
		TenantID:   challenge.TenantID,
		TenantSlug: challenge.TenantSlug,
		UID:        challenge.UID,
	}, nil
}

func (uc *loginMFAChallengeUseCase) Delete(ctx context.Context, challengeID string) error {
	if challengeID == "" {
		return errb.InputMissingRequired("challenge_id is required")
	}
	if err := uc.store.Delete(ctx, challengeID); err != nil {
		return wrapRepoErr(err, "delete login mfa challenge failed")
	}
	return nil
}

var _ domusecase.LoginMFAChallengeUseCase = (*loginMFAChallengeUseCase)(nil)
feat(auth): 登入 MFA、忘記/改密碼與註冊恢復流程補齊平台帳號（platform_native）的密碼自助能力，並讓未完成 Email 驗證的使用者可恢復註冊；OIDC/LDAP/SCIM 帳號禁止在本系統變更密碼。登入若已啟用 TOTP 改為兩階段驗證，OTP 重送加入 60 秒冷卻；同步調整 golangci 排除路徑與 zitadel lint 修正。 Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-26 16:55:37 +00:00			`package usecase`

			`import (`
			`"context"`
			`"errors"`
			`"time"`

			`authdomain "gateway/internal/model/auth/domain"`
			`domrepo "gateway/internal/model/auth/domain/repository"`
			`domusecase "gateway/internal/model/auth/domain/usecase"`

			`"github.com/google/uuid"`
			`)`

			`type loginMFAChallengeUseCase struct {`
			`store domrepo.LoginMFAChallengeStore`
			`}`

			`// LoginMFAChallengeUseCaseParam wires LoginMFAChallengeUseCase.`
			`type LoginMFAChallengeUseCaseParam struct {`
			`Store domrepo.LoginMFAChallengeStore`
			`}`

			`// MustLoginMFAChallengeUseCase constructs LoginMFAChallengeUseCase.`
			`func MustLoginMFAChallengeUseCase(param LoginMFAChallengeUseCaseParam) domusecase.LoginMFAChallengeUseCase {`
			`if param.Store == nil {`
			`panic("auth: login mfa challenge store is required")`
			`}`
			`return &loginMFAChallengeUseCase{store: param.Store}`
			`}`

			`func (uc loginMFAChallengeUseCase) Create(ctx context.Context, req domusecase.CreateLoginMFAChallengeRequest) (*domusecase.LoginMFAChallengeView, error) {`
			`if req == nil \|\| req.TenantID == "" \|\| req.TenantSlug == "" \|\| req.UID == "" {`
			`return nil, errb.InputMissingRequired("tenant_id, tenant_slug and uid are required")`
			`}`
			`ttl := req.TTL`
			`if ttl <= 0 {`
			`ttl = 5 * time.Minute`
			`}`
			`challengeID := uuid.NewString()`
			`challenge := &domrepo.LoginMFAChallenge{`
			`ChallengeID: challengeID,`
			`TenantID: req.TenantID,`
			`TenantSlug: req.TenantSlug,`
			`UID: req.UID,`
			`}`
			`if err := uc.store.Save(ctx, challenge, ttl); err != nil {`
			`return nil, wrapRepoErr(err, "save login mfa challenge failed")`
			`}`
			`return &domusecase.LoginMFAChallengeView{`
			`ChallengeID: challengeID,`
			`ExpiresIn: int(ttl.Seconds()),`
			`}, nil`
			`}`

			`func (uc loginMFAChallengeUseCase) Get(ctx context.Context, challengeID string) (domusecase.CreateLoginMFAChallengeRequest, error) {`
			`if challengeID == "" {`
			`return nil, errb.InputMissingRequired("challenge_id is required")`
			`}`
			`challenge, err := uc.store.Get(ctx, challengeID)`
			`if err != nil {`
			`if errors.Is(err, authdomain.ErrLoginMFAChallengeNotFound) {`
			`return nil, errb.ResNotFound("login mfa challenge", challengeID).WithCause(err)`
			`}`
			`return nil, wrapRepoErr(err, "read login mfa challenge failed")`
			`}`
			`return &domusecase.CreateLoginMFAChallengeRequest{`
			`TenantID: challenge.TenantID,`
			`TenantSlug: challenge.TenantSlug,`
			`UID: challenge.UID,`
			`}, nil`
			`}`

			`func (uc *loginMFAChallengeUseCase) Delete(ctx context.Context, challengeID string) error {`
			`if challengeID == "" {`
			`return errb.InputMissingRequired("challenge_id is required")`
			`}`
			`if err := uc.store.Delete(ctx, challengeID); err != nil {`
			`return wrapRepoErr(err, "delete login mfa challenge failed")`
			`}`
			`return nil`
			`}`

			`var _ domusecase.LoginMFAChallengeUseCase = (*loginMFAChallengeUseCase)(nil)`