# Phase 10 Rollback — Real-time OTP via SMS (MSG91) ## What Phase 10 Added **New files:** - `app/Services/SmsService.php` — SMS driver abstraction (MSG91 + log drivers) - `rollback/phase-10/env-additions.txt` — .env template **Modified files:** - `app/Http/Controllers/Api/AuthController.php` — `signUp`, `resendOtp`, `forgotPassword` now call SMS - `config/services.php` — added `sms.*` config block **Database changes:** NONE **Environment:** - New env vars: `SMS_DRIVER`, `MSG91_AUTH_KEY`, `MSG91_TEMPLATE_ID`, `MSG91_SENDER_ID`, `DEV_OTP_IN_RESPONSE` - Without setting `SMS_DRIVER=msg91`, the service defaults to `log` (writes OTP to `storage/logs/laravel.log` — safe for dev) ## How to Roll Back (Local) ```bash cd c:/xampp/htdocs/Android_App/pmwani_mobile_app_backend # 1. Restore files cp rollback/phase-10/AuthController.php.before app/Http/Controllers/Api/AuthController.php cp rollback/phase-10/services.php.before config/services.php # 2. Delete new service rm app/Services/SmsService.php # 3. Clear cache php artisan config:clear ``` Back to Phase 9 state (OTP generated but no SMS). ## Impact If NOT Rolled Back - **With default env (`SMS_DRIVER=log`):** No behavior change. OTP is logged instead of sent. `signUp` response still returns OTP if `DEV_OTP_IN_RESPONSE=true`. - **With `SMS_DRIVER=msg91` + credentials:** Real SMS sent to user phone. OTP NOT in response by default. - **With `SMS_DRIVER=msg91` WITHOUT credentials:** SMS fails silently (logged), signup still succeeds. User will see "OTP delivery delayed" message. ## Setup Guide (MSG91 Production) ### Step 1: Sign up at MSG91 Go to https://msg91.com → create account → verify your business. ### Step 2: Complete DLT Registration (mandatory in India) - MSG91 dashboard → DLT Menu → guided registration - Takes 1-3 business days - Requires business PAN + signed declaration ### Step 3: Create OTP Template - MSG91 → Flows → Create OTP Flow - Template example: `Your PM-WANI OTP is ##OTP##. Valid for 10 minutes. Do not share this code.` - Template ID looks like: `645abc1234def5678` ### Step 4: Get Auth Key - MSG91 → Settings → API → copy Auth Key ### Step 5: Add to Server `.env` ```bash ssh immunity@147.93.30.127 -p 21212 cd /var/www/mobile_app_backend sudo nano .env # Append: SMS_DRIVER=msg91 MSG91_AUTH_KEY=paste_your_auth_key_here MSG91_TEMPLATE_ID=paste_your_template_id MSG91_SENDER_ID=WANIAP DEV_OTP_IN_RESPONSE=false # Save and clear cache sudo php artisan config:clear ``` ### Step 6: Test ```bash curl -X POST https://flutter.pmwani.net/api/signup \ -d "first_name=Test&last_name=User&email=test@example.com&phone=9999999999&password=pass1234" ``` Expected: - SMS arrives on phone in <30 seconds - Response: `{"status":true, "message":"OTP sent to ...", "sms_delivered":true}` - NO `otp` field in response (safe for production) ## Server Deployment Commands ```bash cd c:/xampp/htdocs/Android_App/pmwani_mobile_app_backend # 1. Create Services directory ssh immunity@147.93.30.127 -p 21212 "sudo mkdir -p /var/www/mobile_app_backend/app/Services" # 2. Upload via staging (immunity user can't write to /var/www directly) scp -P 21212 app/Services/SmsService.php immunity@147.93.30.127:/tmp/SmsService.php scp -P 21212 app/Http/Controllers/Api/AuthController.php immunity@147.93.30.127:/tmp/AuthController.php scp -P 21212 config/services.php immunity@147.93.30.127:/tmp/services.php # 3. Move with sudo ssh immunity@147.93.30.127 -p 21212 "\ sudo cp /tmp/SmsService.php /var/www/mobile_app_backend/app/Services/SmsService.php && \ sudo cp /tmp/AuthController.php /var/www/mobile_app_backend/app/Http/Controllers/Api/AuthController.php && \ sudo cp /tmp/services.php /var/www/mobile_app_backend/config/services.php && \ sudo chown www-data:www-data /var/www/mobile_app_backend/app/Services/SmsService.php /var/www/mobile_app_backend/app/Http/Controllers/Api/AuthController.php /var/www/mobile_app_backend/config/services.php && \ cd /var/www/mobile_app_backend && sudo php artisan config:clear && sudo php artisan cache:clear" ``` ## Server Rollback Commands ```bash cd c:/xampp/htdocs/Android_App/pmwani_mobile_app_backend # Upload backups to staging scp -P 21212 rollback/phase-10/AuthController.php.before immunity@147.93.30.127:/tmp/AuthController.php scp -P 21212 rollback/phase-10/services.php.before immunity@147.93.30.127:/tmp/services.php # Restore with sudo, delete new service ssh immunity@147.93.30.127 -p 21212 "\ sudo cp /tmp/AuthController.php /var/www/mobile_app_backend/app/Http/Controllers/Api/AuthController.php && \ sudo cp /tmp/services.php /var/www/mobile_app_backend/config/services.php && \ sudo rm /var/www/mobile_app_backend/app/Services/SmsService.php && \ cd /var/www/mobile_app_backend && sudo php artisan config:clear" ``` ## Important Notes - **OTP delivery time:** MSG91 typically delivers OTP SMS in 3-10 seconds. Well under PM-WANI's 30-second requirement. - **Failure handling:** If SMS fails, signup still SUCCEEDS (user can retry resend-otp). We never block account creation on SMS delivery. - **Security:** `DEV_OTP_IN_RESPONSE=false` in production. Critical — otherwise anyone can create accounts with someone else's phone. - **Rate limiting:** signup + resend-otp already rate-limited to 10 req/min per IP (Phase 0). - **Cost:** Each OTP SMS = ~₹0.15-0.25. Budget for ~10-20% false starts (users who don't verify). - **Failure monitoring:** All SMS attempts log to `storage/logs/laravel.log`. Search for `sms.msg91.send_failed` to spot issues.