feat: remove OTP gate from transactions, fix categories auth, add implementation plan

- Remove OtpGateGuard from transactions controller (OTP verified at login)
- Fix categories controller to use authenticated user instead of TEMP_USER_ID
- Add comprehensive implementation plan document
- Update .env.example with WEB_APP_URL
- Prepare for admin dashboard development

apps/api/dist/otp/otp.controller.js

@@ -0,0 +1,200 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OtpController = exports.Public = exports.IS_PUBLIC_KEY = void 0;
+const common_1 = require("@nestjs/common");
+const jwt_1 = require("@nestjs/jwt");
+const auth_guard_1 = require("../auth/auth.guard");
+const otp_service_1 = require("./otp.service");
+exports.IS_PUBLIC_KEY = 'isPublic';
+const Public = () => (0, common_1.SetMetadata)(exports.IS_PUBLIC_KEY, true);
+exports.Public = Public;
+let OtpController = class OtpController {
+    otpService;
+    jwtService;
+    constructor(otpService, jwtService) {
+        this.otpService = otpService;
+        this.jwtService = jwtService;
+    }
+    async getStatus(req) {
+        return this.otpService.getStatus(req.user.userId);
+    }
+    async sendEmailOtp(req) {
+        return this.otpService.sendEmailOtp(req.user.userId);
+    }
+    async verifyEmailOtp(req, body) {
+        return this.otpService.verifyEmailOtp(req.user.userId, body.code);
+    }
+    async disableEmailOtp(req) {
+        return this.otpService.disableEmailOtp(req.user.userId);
+    }
+    async setupTotp(req) {
+        return this.otpService.setupTotp(req.user.userId);
+    }
+    async verifyTotp(req, body) {
+        return this.otpService.verifyTotp(req.user.userId, body.code);
+    }
+    async disableTotp(req) {
+        return this.otpService.disableTotp(req.user.userId);
+    }
+    async sendWhatsappOtp(req, body) {
+        return this.otpService.sendWhatsappOtp(req.user.userId, body.mode || 'test');
+    }
+    async verifyWhatsappOtp(req, body) {
+        return this.otpService.verifyWhatsappOtp(req.user.userId, body.code);
+    }
+    async disableWhatsappOtp(req) {
+        return this.otpService.disableWhatsappOtp(req.user.userId);
+    }
+    async checkWhatsappNumber(body) {
+        return this.otpService.checkWhatsappNumber(body.phone);
+    }
+    async resendEmailOtp(body) {
+        try {
+            const payload = this.jwtService.verify(body.tempToken);
+            if (!payload.temp) {
+                throw new common_1.UnauthorizedException('Invalid token type');
+            }
+            const userId = payload.userId || payload.sub;
+            if (!userId) {
+                throw new common_1.UnauthorizedException('Invalid token payload');
+            }
+            return this.otpService.sendEmailOtp(userId);
+        }
+        catch {
+            throw new common_1.UnauthorizedException('Invalid or expired token');
+        }
+    }
+    async resendWhatsappOtp(body) {
+        try {
+            const payload = this.jwtService.verify(body.tempToken);
+            if (!payload.temp) {
+                throw new common_1.UnauthorizedException('Invalid token type');
+            }
+            const userId = payload.userId || payload.sub;
+            if (!userId) {
+                throw new common_1.UnauthorizedException('Invalid token payload');
+            }
+            return this.otpService.sendWhatsappOtp(userId, 'live');
+        }
+        catch {
+            throw new common_1.UnauthorizedException('Invalid or expired token');
+        }
+    }
+};
+exports.OtpController = OtpController;
+__decorate([
+    (0, common_1.Get)('status'),
+    __param(0, (0, common_1.Req)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object]),
+    __metadata("design:returntype", Promise)
+], OtpController.prototype, "getStatus", null);
+__decorate([
+    (0, common_1.Post)('email/send'),
+    __param(0, (0, common_1.Req)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object]),
+    __metadata("design:returntype", Promise)
+], OtpController.prototype, "sendEmailOtp", null);
+__decorate([
+    (0, common_1.Post)('email/verify'),
+    __param(0, (0, common_1.Req)()),
+    __param(1, (0, common_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object, Object]),
+    __metadata("design:returntype", Promise)
+], OtpController.prototype, "verifyEmailOtp", null);
+__decorate([
+    (0, common_1.Post)('email/disable'),
+    __param(0, (0, common_1.Req)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object]),
+    __metadata("design:returntype", Promise)
+], OtpController.prototype, "disableEmailOtp", null);
+__decorate([
+    (0, common_1.Post)('totp/setup'),
+    __param(0, (0, common_1.Req)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object]),
+    __metadata("design:returntype", Promise)
+], OtpController.prototype, "setupTotp", null);
+__decorate([
+    (0, common_1.Post)('totp/verify'),
+    __param(0, (0, common_1.Req)()),
+    __param(1, (0, common_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object, Object]),
+    __metadata("design:returntype", Promise)
+], OtpController.prototype, "verifyTotp", null);
+__decorate([
+    (0, common_1.Post)('totp/disable'),
+    __param(0, (0, common_1.Req)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object]),
+    __metadata("design:returntype", Promise)
+], OtpController.prototype, "disableTotp", null);
+__decorate([
+    (0, common_1.Post)('whatsapp/send'),
+    __param(0, (0, common_1.Req)()),
+    __param(1, (0, common_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object, Object]),
+    __metadata("design:returntype", Promise)
+], OtpController.prototype, "sendWhatsappOtp", null);
+__decorate([
+    (0, common_1.Post)('whatsapp/verify'),
+    __param(0, (0, common_1.Req)()),
+    __param(1, (0, common_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object, Object]),
+    __metadata("design:returntype", Promise)
+], OtpController.prototype, "verifyWhatsappOtp", null);
+__decorate([
+    (0, common_1.Post)('whatsapp/disable'),
+    __param(0, (0, common_1.Req)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object]),
+    __metadata("design:returntype", Promise)
+], OtpController.prototype, "disableWhatsappOtp", null);
+__decorate([
+    (0, common_1.Post)('whatsapp/check'),
+    __param(0, (0, common_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object]),
+    __metadata("design:returntype", Promise)
+], OtpController.prototype, "checkWhatsappNumber", null);
+__decorate([
+    (0, exports.Public)(),
+    (0, common_1.Post)('email/resend'),
+    __param(0, (0, common_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object]),
+    __metadata("design:returntype", Promise)
+], OtpController.prototype, "resendEmailOtp", null);
+__decorate([
+    (0, exports.Public)(),
+    (0, common_1.Post)('whatsapp/resend'),
+    __param(0, (0, common_1.Body)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object]),
+    __metadata("design:returntype", Promise)
+], OtpController.prototype, "resendWhatsappOtp", null);
+exports.OtpController = OtpController = __decorate([
+    (0, common_1.Controller)('otp'),
+    (0, common_1.UseGuards)(auth_guard_1.AuthGuard),
+    __metadata("design:paramtypes", [otp_service_1.OtpService,
+        jwt_1.JwtService])
+], OtpController);
+//# sourceMappingURL=otp.controller.js.map