package handlers import ( "encoding/json" "net/http" "regexp" ) var validLanguageCode = regexp.MustCompile(`^[a-z]{2,3}(_[A-Z]{2})?$`) var validOTPCode = regexp.MustCompile(`^\d{4,8}$`) // ListPhoneNumbers returns all phone numbers for the account. // POST /api/phone-numbers {"account_id"} func (h *Handlers) ListPhoneNumbers(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodPost { http.Error(w, "Method not allowed", http.StatusMethodNotAllowed) return } var req struct { AccountID string `json:"account_id"` } if err := json.NewDecoder(r.Body).Decode(&req); err != nil { http.Error(w, err.Error(), http.StatusBadRequest) return } baClient, err := h.getBusinessAPIClient(req.AccountID) if err != nil { http.Error(w, err.Error(), http.StatusBadRequest) return } resp, err := baClient.ListPhoneNumbers(r.Context()) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } writeJSON(w, resp) } // RequestVerificationCode sends a verification code to a phone number. // POST /api/phone-numbers/request-code {"account_id","phone_number_id","method":"SMS"|"VOICE"} func (h *Handlers) RequestVerificationCode(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodPost { http.Error(w, "Method not allowed", http.StatusMethodNotAllowed) return } var req struct { AccountID string `json:"account_id"` PhoneNumberID string `json:"phone_number_id"` Method string `json:"code_method"` // "SMS" or "VOICE" Language string `json:"language"` } if err := json.NewDecoder(r.Body).Decode(&req); err != nil { http.Error(w, err.Error(), http.StatusBadRequest) return } if req.PhoneNumberID == "" || req.Method == "" { http.Error(w, "phone_number_id and code_method are required", http.StatusBadRequest) return } if req.Method != "SMS" && req.Method != "VOICE" { http.Error(w, "code_method must be SMS or VOICE", http.StatusBadRequest) return } if req.Language == "" || !validLanguageCode.MatchString(req.Language) { req.Language = "en_US" } baClient, err := h.getBusinessAPIClient(req.AccountID) if err != nil { http.Error(w, err.Error(), http.StatusBadRequest) return } if err := baClient.RequestVerificationCode(r.Context(), req.PhoneNumberID, req.Method, req.Language); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } writeJSON(w, map[string]string{"status": "ok"}) } // VerifyCode verifies a phone number with the code received. // POST /api/phone-numbers/verify-code {"account_id","phone_number_id","code"} func (h *Handlers) VerifyCode(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodPost { http.Error(w, "Method not allowed", http.StatusMethodNotAllowed) return } var req struct { AccountID string `json:"account_id"` PhoneNumberID string `json:"phone_number_id"` Code string `json:"code"` } if err := json.NewDecoder(r.Body).Decode(&req); err != nil { http.Error(w, err.Error(), http.StatusBadRequest) return } if req.PhoneNumberID == "" || req.Code == "" { http.Error(w, "phone_number_id and code are required", http.StatusBadRequest) return } if !validOTPCode.MatchString(req.Code) { http.Error(w, "code must be 4-8 digits", http.StatusBadRequest) return } baClient, err := h.getBusinessAPIClient(req.AccountID) if err != nil { http.Error(w, err.Error(), http.StatusBadRequest) return } if err := baClient.VerifyCode(r.Context(), req.PhoneNumberID, req.Code); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } writeJSON(w, map[string]string{"status": "ok"}) } // RegisterPhoneNumber registers a phone number with the WhatsApp Cloud API. // POST /api/phone-numbers/register {"account_id","phone_number_id","pin"} func (h *Handlers) RegisterPhoneNumber(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodPost { http.Error(w, "Method not allowed", http.StatusMethodNotAllowed) return } var req struct { AccountID string `json:"account_id"` PhoneNumberID string `json:"phone_number_id"` Pin string `json:"pin"` // 6-digit two-step verification PIN } if err := json.NewDecoder(r.Body).Decode(&req); err != nil { http.Error(w, err.Error(), http.StatusBadRequest) return } if req.PhoneNumberID == "" { http.Error(w, "phone_number_id is required", http.StatusBadRequest) return } if !validOTPCode.MatchString(req.Pin) { http.Error(w, "pin must be 4-8 digits", http.StatusBadRequest) return } baClient, err := h.getBusinessAPIClient(req.AccountID) if err != nil { http.Error(w, err.Error(), http.StatusBadRequest) return } if err := baClient.RegisterPhoneNumber(r.Context(), req.PhoneNumberID, req.Pin); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } writeJSON(w, map[string]string{"status": "ok"}) }