Closed r00dgirl closed 10 months ago
As a first step, I wonder if we can set a JWT-based session cookie containing the formId, the verified contents of the field (e.g. email or phone number), and an expiry time when a verification request succeeds.
The next time the user enters the same verified contents and tries to do verification, we immediately considers the verification to succeed if the JWT cookie is present and not send any verification emails or SMS. The session ends when the user closes the browser window or tab.
Next, we can get the client to read the JWT and pre-fill the relevant fields if possible.
Discussion
For my own reference, most of the logic for verification is in https://github.com/opengovsg/FormSG/blob/develop/src/app/modules/verification/verification.service.ts
An implementation might be:
verifyOtp
, we generate a signed and encrypted cookie containing the verified recipient string and type (i.e. a phone # or an email) and an expiration time, and we store that cookie on the client.sendOtp
, we check whether that cookie exists, and if it does, decrypt it and compare the verified recipient string to the new recipient. If it all checks out, we return the signedData immediately instead of sending the SMS. If it doesn't, we proceed as usual.We will need an additional checkbox after the user clicks "Send SMS" etc to ask the user whether they want to persist their "verification" for the browser session or next 30 minutes.
Here is a more detailed doc describing a potential workflow: https://docs.google.com/document/d/1tayeHx1oBJbsgw0uKhuZB9RQ7xaSrpVKo8UnICwTCUk/edit?usp=sharing
Moved to linear
So that respondents will not have to repeatedly verify their email if their job is to complete many form submissions at one go - repeated data submission by authorised persons only e.g.
maybe:
optionally: