# nanobot-auth-service

Standalone phone/password auth service for nanobot web chat.

## Features

- `POST /auth/register` (phone + password + verification code; returns pending)
- `POST /auth/login`
- `GET /auth/me` (Bearer token)
- `GET /auth/register/status/{request_id}`
- `GET /admin/requests` (admin key required)
- `POST /admin/requests/{id}/approve` (admin key required)
- `POST /admin/requests/{id}/reject` (admin key required)
- SQLite persistence
- JWT access tokens

## Quick Start

```bash
cd nanobot-auth-service
pip install -e .
cp .env.example .env
source .env
uvicorn app.main:app --host ${AUTH_HOST:-0.0.0.0} --port ${AUTH_PORT:-9100}
```

## Env Vars

- `AUTH_DB_PATH`: sqlite file path
- `AUTH_JWT_SECRET`: JWT signing secret
- `AUTH_TOKEN_TTL_HOURS`: access token ttl
- `AUTH_CORS_ORIGINS`: comma-separated origins or `*`
- `AUTH_VERIFICATION_CODES`: comma-separated whitelist (empty means no whitelist check)
- `AUTH_ADMIN_KEY`: required by admin endpoints
- `AUTH_HOST`: bind host (run command)
- `AUTH_PORT`: bind port (run command)

## API Contract

`POST /auth/register`

```json
{
  "phone": "13800000000",
  "password": "secret123",
  "verification_code": "code-a"
}
```

Response:

```json
{
  "ok": true,
  "status": "pending",
  "request_id": 1,
  "message": "pending review"
}
```

Manual approval flow (operator terminal):

```bash
cd nanobot-auth-service
python app/manual_review.py
```

The script lists pending requests and asks for each item:

- input `y` => approve and create user
- input `r` => reject with reason
- any other input => skip

`POST /auth/login` has the same request/response shape.

`GET /auth/me`

Header:

```http
Authorization: Bearer <token>
```

Response:

```json
{
  "ok": true,
  "user": {"id": 1, "phone": "13800000000"}
}
```