feat(auth): switch signup to OTP verification flow

Replace legacy signup with start/verify/resend endpoints, add OTP-focused mail templates and auth rate limits, and align compose/env/runbook for local self-hosted Supabase OTP behavior.

backend/tests/integration/test_auth_routes.py

@@ -3,6 +3,7 @@ from __future__ import annotations
 from typing import Callable
 from uuid import UUID
 
+import pytest
 from fastapi import HTTPException
 from fastapi.testclient import TestClient
 
@@ -10,24 +11,48 @@ from app import app
 from core.auth.models import CurrentUser
 from v1.auth.dependencies import get_auth_service
 from v1.profile.dependencies import get_current_user
+from v1.auth.rate_limit import reset_rate_limit_state
 from v1.auth.schemas import (
+    AuthResendCodeResponse,
+    AuthSignupStartResponse,
     AuthTokenResponse,
     AuthUserByEmailResponse,
     AuthUser,
     LoginRequest,
     RefreshRequest,
-    SignupRequest,
+    SignupResendRequest,
+    SignupStartRequest,
+    SignupVerifyRequest,
 )
 from v1.auth.service import AuthService
 
 
+@pytest.fixture(autouse=True)
+def reset_auth_rate_limit_state() -> None:
+    reset_rate_limit_state()
+
+
 class FakeAuthService(AuthService):
     def __init__(self, token_response: AuthTokenResponse) -> None:
         self._token_response = token_response
 
-    async def signup(self, request: SignupRequest) -> AuthTokenResponse:
+    async def signup_start(
+        self, request: SignupStartRequest
+    ) -> AuthSignupStartResponse:
+        if request.email == "exists@example.com":
+            raise HTTPException(status_code=422, detail="Invalid signup request")
+        return AuthSignupStartResponse(email=request.email)
+
+    async def signup_verify(self, request: SignupVerifyRequest) -> AuthTokenResponse:
+        if request.token == "000000":
+            raise HTTPException(status_code=401, detail="Invalid verification code")
         return self._token_response
 
+    async def signup_resend(
+        self, request: SignupResendRequest
+    ) -> AuthResendCodeResponse:
+        return AuthResendCodeResponse()
+
     async def login(self, request: LoginRequest) -> AuthTokenResponse:
         raise HTTPException(status_code=401, detail="Invalid credentials")
 
@@ -55,7 +80,7 @@ def _override_auth_service(service: AuthService) -> Callable[[], AuthService]:
     return _get_service
 
 
-def test_signup_returns_token_response() -> None:
+def test_signup_start_returns_pending_response() -> None:
     user = AuthUser(id="user-1", email="user@example.com")
     token_response = AuthTokenResponse(
         access_token="access",
@@ -71,13 +96,40 @@ def test_signup_returns_token_response() -> None:
     client = TestClient(app)
     try:
         response = client.post(
-            "/api/v1/auth/signup",
+            "/api/v1/auth/signup/start",
             json={
                 "username": "demo",
                 "email": "user@example.com",
                 "password": "secret123",
             },
         )
+        assert response.status_code == 202
+        body = response.json()
+        assert body["status"] == "pending_verification"
+        assert body["email"] == "user@example.com"
+    finally:
+        app.dependency_overrides = {}
+
+
+def test_signup_verify_returns_token_response() -> None:
+    user = AuthUser(id="user-1", email="user@example.com")
+    token_response = AuthTokenResponse(
+        access_token="access",
+        refresh_token="refresh",
+        expires_in=3600,
+        token_type="bearer",
+        user=user,
+    )
+    app.dependency_overrides[get_auth_service] = _override_auth_service(
+        FakeAuthService(token_response)
+    )
+
+    client = TestClient(app)
+    try:
+        response = client.post(
+            "/api/v1/auth/signup/verify",
+            json={"email": "user@example.com", "token": "123456"},
+        )
         assert response.status_code == 200
         body = response.json()
         assert body["access_token"] == "access"
@@ -87,6 +139,200 @@ def test_signup_returns_token_response() -> None:
         app.dependency_overrides = {}
 
 
+def test_signup_resend_returns_generic_message() -> None:
+    user = AuthUser(id="user-1", email="user@example.com")
+    token_response = AuthTokenResponse(
+        access_token="access",
+        refresh_token="refresh",
+        expires_in=3600,
+        token_type="bearer",
+        user=user,
+    )
+    app.dependency_overrides[get_auth_service] = _override_auth_service(
+        FakeAuthService(token_response)
+    )
+
+    client = TestClient(app)
+    try:
+        response = client.post(
+            "/api/v1/auth/signup/resend",
+            json={"email": "user@example.com"},
+        )
+        assert response.status_code == 200
+        body = response.json()
+        assert (
+            body["message"] == "If the email exists, a verification code has been sent"
+        )
+    finally:
+        app.dependency_overrides = {}
+
+
+def test_signup_verify_invalid_token_returns_problem_details() -> None:
+    user = AuthUser(id="user-1", email="user@example.com")
+    token_response = AuthTokenResponse(
+        access_token="access",
+        refresh_token="refresh",
+        expires_in=3600,
+        token_type="bearer",
+        user=user,
+    )
+    app.dependency_overrides[get_auth_service] = _override_auth_service(
+        FakeAuthService(token_response)
+    )
+
+    client = TestClient(app)
+    try:
+        response = client.post(
+            "/api/v1/auth/signup/verify",
+            json={"email": "user@example.com", "token": "000000"},
+        )
+        assert response.status_code == 401
+        assert response.headers["content-type"].startswith("application/problem+json")
+        body = response.json()
+        assert body["title"] == "Unauthorized"
+        assert body["status"] == 401
+        assert body["detail"] == "Invalid verification code"
+    finally:
+        app.dependency_overrides = {}
+
+
+def test_signup_start_existing_email_returns_problem_details() -> None:
+    user = AuthUser(id="user-1", email="user@example.com")
+    token_response = AuthTokenResponse(
+        access_token="access",
+        refresh_token="refresh",
+        expires_in=3600,
+        token_type="bearer",
+        user=user,
+    )
+    app.dependency_overrides[get_auth_service] = _override_auth_service(
+        FakeAuthService(token_response)
+    )
+
+    client = TestClient(app)
+    try:
+        response = client.post(
+            "/api/v1/auth/signup/start",
+            json={
+                "username": "demo",
+                "email": "exists@example.com",
+                "password": "secret123",
+            },
+        )
+        assert response.status_code == 422
+        assert response.headers["content-type"].startswith("application/problem+json")
+        body = response.json()
+        assert body["title"] == "Unprocessable Content"
+        assert body["status"] == 422
+        assert body["detail"] == "Invalid signup request"
+    finally:
+        app.dependency_overrides = {}
+
+
+def test_signup_verify_rate_limited_after_too_many_attempts() -> None:
+    user = AuthUser(id="user-1", email="user@example.com")
+    token_response = AuthTokenResponse(
+        access_token="access",
+        refresh_token="refresh",
+        expires_in=3600,
+        token_type="bearer",
+        user=user,
+    )
+    app.dependency_overrides[get_auth_service] = _override_auth_service(
+        FakeAuthService(token_response)
+    )
+
+    client = TestClient(app)
+    try:
+        for _ in range(10):
+            ok = client.post(
+                "/api/v1/auth/signup/verify",
+                json={"email": "user@example.com", "token": "123456"},
+            )
+            assert ok.status_code == 200
+
+        blocked = client.post(
+            "/api/v1/auth/signup/verify",
+            json={"email": "user@example.com", "token": "123456"},
+        )
+        assert blocked.status_code == 429
+        assert blocked.headers["content-type"].startswith("application/problem+json")
+    finally:
+        app.dependency_overrides = {}
+
+
+def test_signup_resend_rate_limited_after_too_many_attempts() -> None:
+    user = AuthUser(id="user-1", email="user@example.com")
+    token_response = AuthTokenResponse(
+        access_token="access",
+        refresh_token="refresh",
+        expires_in=3600,
+        token_type="bearer",
+        user=user,
+    )
+    app.dependency_overrides[get_auth_service] = _override_auth_service(
+        FakeAuthService(token_response)
+    )
+
+    client = TestClient(app)
+    try:
+        for _ in range(3):
+            ok = client.post(
+                "/api/v1/auth/signup/resend",
+                json={"email": "user@example.com"},
+            )
+            assert ok.status_code == 200
+
+        blocked = client.post(
+            "/api/v1/auth/signup/resend",
+            json={"email": "user@example.com"},
+        )
+        assert blocked.status_code == 429
+        assert blocked.headers["content-type"].startswith("application/problem+json")
+    finally:
+        app.dependency_overrides = {}
+
+
+def test_signup_start_rate_limited_after_too_many_attempts() -> None:
+    user = AuthUser(id="user-1", email="user@example.com")
+    token_response = AuthTokenResponse(
+        access_token="access",
+        refresh_token="refresh",
+        expires_in=3600,
+        token_type="bearer",
+        user=user,
+    )
+    app.dependency_overrides[get_auth_service] = _override_auth_service(
+        FakeAuthService(token_response)
+    )
+
+    client = TestClient(app)
+    try:
+        for _ in range(5):
+            ok = client.post(
+                "/api/v1/auth/signup/start",
+                json={
+                    "username": "demo",
+                    "email": "user@example.com",
+                    "password": "secret123",
+                },
+            )
+            assert ok.status_code == 202
+
+        blocked = client.post(
+            "/api/v1/auth/signup/start",
+            json={
+                "username": "demo",
+                "email": "user@example.com",
+                "password": "secret123",
+            },
+        )
+        assert blocked.status_code == 429
+        assert blocked.headers["content-type"].startswith("application/problem+json")
+    finally:
+        app.dependency_overrides = {}
+
+
 def test_login_invalid_returns_problem_details() -> None:
     user = AuthUser(id="user-1", email="user@example.com")
     token_response = AuthTokenResponse(
@@ -170,7 +416,7 @@ def test_logout_returns_no_content() -> None:
         app.dependency_overrides = {}
 
 
-def test_signup_validation_error_returns_problem_details() -> None:
+def test_signup_start_validation_error_returns_problem_details() -> None:
     user = AuthUser(id="user-1", email="user@example.com")
     token_response = AuthTokenResponse(
         access_token="access",
@@ -185,7 +431,7 @@ def test_signup_validation_error_returns_problem_details() -> None:
 
     client = TestClient(app)
     try:
-        response = client.post("/api/v1/auth/signup", json={})
+        response = client.post("/api/v1/auth/signup/start", json={})
         assert response.status_code == 422
         assert response.headers["content-type"].startswith("application/problem+json")
         body = response.json()
@@ -196,7 +442,7 @@ def test_signup_validation_error_returns_problem_details() -> None:
         app.dependency_overrides = {}
 
 
-def test_signup_missing_username_returns_problem_details() -> None:
+def test_signup_start_missing_username_returns_problem_details() -> None:
     user = AuthUser(id="user-1", email="user@example.com")
     token_response = AuthTokenResponse(
         access_token="access",
@@ -212,7 +458,7 @@ def test_signup_missing_username_returns_problem_details() -> None:
     client = TestClient(app)
     try:
         response = client.post(
-            "/api/v1/auth/signup",
+            "/api/v1/auth/signup/start",
             json={"email": "user@example.com", "password": "secret123"},
         )
         assert response.status_code == 422