Optionally persist email OTP verification about formsg HOT 6 CLOSED

As a first step, I wonder if we can set a JWT-based session cookie containing the formId, the verified contents of the field (e.g. email or phone number), and an expiry time when a verification request succeeds.

The next time the user enters the same verified contents and tries to do verification, we immediately considers the verification to succeed if the JWT cookie is present and not send any verification emails or SMS. The session ends when the user closes the browser window or tab.

Next, we can get the client to read the JWT and pre-fill the relevant fields if possible.

from formsg.

Discussion

1. Figure out how to have this work with E2EE and webhooks
2. To cater for public library use case

from formsg.

For my own reference, most of the logic for verification is in https://github.com/opengovsg/FormSG/blob/develop/src/app/modules/verification/verification.service.ts

from formsg.

An implementation might be:

1. Upon request in verifyOtp, we generate a signed and encrypted cookie containing the verified recipient string and type (i.e. a phone # or an email) and an expiration time, and we store that cookie on the client.
2. When the client next requests an OTP with sendOtp, we check whether that cookie exists, and if it does, decrypt it and compare the verified recipient string to the new recipient. If it all checks out, we return the signedData immediately instead of sending the SMS. If it doesn't, we proceed as usual.

We will need an additional checkbox after the user clicks "Send SMS" etc to ask the user whether they want to persist their "verification" for the browser session or next 30 minutes.

from formsg.

Here is a more detailed doc describing a potential workflow: https://docs.google.com/document/d/1tayeHx1oBJbsgw0uKhuZB9RQ7xaSrpVKo8UnICwTCUk/edit?usp=sharing

from formsg.

Moved to linear

from formsg.