feat(service-professional): Add OTP-based authentication system for service professionals

- Add service professional authentication schema with phone and OTP validation models
- Implement service professional auth service with OTP generation, verification, and JWT token creation
- Create service professional router with send-otp, verify-otp, and logout endpoints
- Integrate WhatsApp OTP delivery via WATI for secure authentication
- Add comprehensive authentication guide with API documentation, setup instructions, and test data
- Register service professional routes in main application
- Support merchant context in JWT tokens for multi-tenant access control

SERVICE_PROFESSIONAL_AUTH_GUIDE.md

@@ -0,0 +1,343 @@
+# Service Professional Authentication Guide
+
+## Overview
+
+Complete end-to-end authentication system for service professionals (spa staff, salon staff, beauticians, therapists, etc.) using OTP-based login via WhatsApp.
+
+## Architecture
+
+### Collection
+- **Database**: `cuatrolabs_db`
+- **Collection**: `scm_service_professionals`
+- **Purpose**: Stores service professional profiles
+
+### Authentication Flow
+1. Service professional requests OTP via phone number
+2. System validates professional exists and is active
+3. OTP generated and sent via WhatsApp (WATI)
+4. OTP stored in Redis with 5-minute expiration
+5. Professional verifies OTP
+6. System generates JWT token with merchant context
+7. Professional can access protected endpoints
+
+## API Endpoints
+
+### 1. Send OTP
+```http
+POST /service-professional/send-otp
+Content-Type: application/json
+
+{
+  "phone": "+919876543210"
+}
+```
+
+**Response:**
+```json
+{
+  "success": true,
+  "message": "OTP sent successfully via WhatsApp",
+  "expires_in": 300
+}
+```
+
+### 2. Verify OTP & Login
+```http
+POST /service-professional/verify-otp
+Content-Type: application/json
+
+{
+  "phone": "+919876543210",
+  "otp": "123456"
+}
+```
+
+**Response:**
+```json
+{
+  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
+  "token_type": "bearer",
+  "expires_in": 86400,
+  "professional_info": {
+    "staff_id": "550e8400-e29b-41d4-a716-446655440001",
+    "staff_code": "SP001",
+    "name": "Priya Sharma",
+    "phone": "+919876543210",
+    "email": "priya.sharma@example.com",
+    "designation": "Senior Beautician",
+    "merchant_id": "550e8400-e29b-41d4-a716-446655440000",
+    "status": "active",
+    "user_type": "service_professional"
+  }
+}
+```
+
+### 3. Logout
+```http
+POST /service-professional/logout
+Authorization: Bearer {access_token}
+```
+
+**Response:**
+```json
+{
+  "success": true,
+  "message": "Service professional logged out successfully"
+}
+```
+
+## Sample Data
+
+### Test Professionals
+
+#### Active Professionals (Can Login)
+1. **Priya Sharma** - Senior Beautician
+   - Phone: `+919876543210`
+   - Skills: facial, makeup, hair_styling, manicure, pedicure
+
+2. **Rahul Verma** - Massage Therapist
+   - Phone: `+919876543211`
+   - Skills: swedish_massage, deep_tissue, aromatherapy, hot_stone
+
+3. **Anjali Patel** - Hair Stylist
+   - Phone: `+919876543212`
+   - Skills: hair_cut, hair_color, hair_treatment, styling, keratin
+
+4. **Vikram Singh** - Spa Manager
+   - Phone: `+919876543213`
+   - Skills: management, customer_service, scheduling, training
+
+5. **Meera Reddy** - Nail Technician
+   - Phone: `+919876543214`
+   - Skills: manicure, pedicure, nail_art, gel_nails, acrylic_nails
+
+6. **Arjun Kumar** - Fitness Trainer
+   - Phone: `+919876543215`
+   - Skills: personal_training, yoga, pilates, strength_training, cardio
+
+#### Inactive Professionals (Cannot Login)
+7. **Sneha Gupta** - Esthetician
+   - Phone: `+919876543216`
+   - Status: `inactive`
+   - Skills: facials, waxing, threading, skin_analysis, chemical_peels
+
+## Setup Instructions
+
+### 1. Create Sample Data
+```bash
+# Run the Python script to create sample professionals
+cd utils
+python create_sample_service_professionals.py
+```
+
+### 2. Manual MongoDB Insert
+```bash
+# Import JSON data directly
+mongoimport --db cuatrolabs_db \
+  --collection scm_service_professionals \
+  --file utils/sample_service_professionals.json \
+  --jsonArray
+```
+
+### 3. Verify Data
+```javascript
+// MongoDB shell
+use cuatrolabs_db
+db.scm_service_professionals.find().pretty()
+db.scm_service_professionals.countDocuments()
+```
+
+## Testing
+
+### Using cURL
+
+#### 1. Send OTP
+```bash
+curl -X POST http://localhost:8002/service-professional/send-otp \
+  -H "Content-Type: application/json" \
+  -d '{"phone": "+919876543210"}'
+```
+
+#### 2. Verify OTP (replace with actual OTP)
+```bash
+curl -X POST http://localhost:8002/service-professional/verify-otp \
+  -H "Content-Type: application/json" \
+  -d '{"phone": "+919876543210", "otp": "123456"}'
+```
+
+#### 3. Logout (replace TOKEN)
+```bash
+curl -X POST http://localhost:8002/service-professional/logout \
+  -H "Authorization: Bearer TOKEN"
+```
+
+### Using Python
+```python
+import requests
+
+# 1. Send OTP
+response = requests.post(
+    "http://localhost:8002/service-professional/send-otp",
+    json={"phone": "+919876543210"}
+)
+print(response.json())
+
+# 2. Verify OTP
+response = requests.post(
+    "http://localhost:8002/service-professional/verify-otp",
+    json={"phone": "+919876543210", "otp": "123456"}
+)
+data = response.json()
+token = data["access_token"]
+print(f"Token: {token}")
+
+# 3. Logout
+response = requests.post(
+    "http://localhost:8002/service-professional/logout",
+    headers={"Authorization": f"Bearer {token}"}
+)
+print(response.json())
+```
+
+## Security Features
+
+### OTP Security
+- **Expiration**: 5 minutes
+- **Attempts**: Maximum 3 attempts per OTP
+- **One-time use**: OTP deleted after successful verification
+- **Redis storage**: Secure temporary storage
+
+### Status Validation
+- Only `active` professionals can login
+- Inactive/suspended accounts are rejected
+- Status checked at both OTP send and verify stages
+
+### JWT Token
+- **Expiration**: 24 hours (configurable)
+- **Payload**: staff_id, staff_code, merchant_id, user_type
+- **Algorithm**: HS256
+- **Stateless**: No server-side session storage
+
+## Error Handling
+
+### Common Errors
+
+#### 404 - Professional Not Found
+```json
+{
+  "detail": "Service professional not found for this phone number"
+}
+```
+
+#### 403 - Inactive Account
+```json
+{
+  "detail": "Service professional account is inactive"
+}
+```
+
+#### 401 - Invalid OTP
+```json
+{
+  "detail": "Invalid OTP"
+}
+```
+
+#### 401 - Expired OTP
+```json
+{
+  "detail": "OTP has expired"
+}
+```
+
+#### 429 - Too Many Attempts
+```json
+{
+  "detail": "Too many attempts. Please request a new OTP"
+}
+```
+
+## Files Created
+
+### Schema
+- `app/auth/schemas/service_professional_auth.py`
+  - Request/response models
+  - Phone and OTP validation
+
+### Service
+- `app/auth/services/service_professional_auth_service.py`
+  - Business logic
+  - OTP generation and verification
+  - JWT token creation
+  - WhatsApp integration
+
+### Router
+- `app/auth/controllers/service_professional_router.py`
+  - API endpoints
+  - Request handling
+  - Error responses
+
+### Test Data
+- `utils/create_sample_service_professionals.py` - Python script
+- `utils/sample_service_professionals.json` - JSON data
+
+## Configuration
+
+### Environment Variables
+```env
+# WhatsApp OTP Settings
+WATI_STAFF_OTP_TEMPLATE_NAME=staff_otp_template
+
+# JWT Settings
+SECRET_KEY=your-secret-key
+ALGORITHM=HS256
+TOKEN_EXPIRATION_HOURS=24
+
+# Redis Settings
+REDIS_HOST=localhost
+REDIS_PORT=6379
+```
+
+## Integration Points
+
+### Dependencies
+- **MongoDB**: Professional data storage
+- **Redis**: OTP caching
+- **WATI**: WhatsApp OTP delivery
+- **JWT**: Token generation
+
+### Related Collections
+- `scm_service_professionals` - Professional profiles
+- `scm_merchants` - Merchant information
+
+## Monitoring & Logging
+
+### Log Events
+- `service_professional_mobile_otp_login` - Successful login
+- `service_professional_logout` - Logout event
+- OTP send/verify attempts
+- Failed authentication attempts
+
+### Metrics to Track
+- OTP delivery success rate
+- Login success rate
+- Average OTP verification time
+- Failed login attempts by phone
+
+## Future Enhancements
+
+### Potential Features
+1. **Refresh tokens** for extended sessions
+2. **Biometric authentication** for mobile apps
+3. **Multi-factor authentication** for sensitive operations
+4. **Session management** with Redis
+5. **Rate limiting** per phone number
+6. **Geolocation validation** for security
+7. **Device fingerprinting** for fraud detection
+
+## Support
+
+For issues or questions:
+- Check logs in `cuatrolabs-auth-ms/logs/`
+- Review Redis cache: `redis-cli KEYS "service_professional_otp:*"`
+- Verify MongoDB data: `db.scm_service_professionals.find()`

app/auth/controllers/service_professional_router.py

@@ -0,0 +1,260 @@
+"""
+Service Professional authentication router for mobile OTP login.
+Handles authentication for spa staff, salon staff, beauticians, therapists, etc.
+"""
+from fastapi import APIRouter, Depends, HTTPException, status, Request
+from datetime import timedelta
+from typing import Optional
+
+from app.auth.services.service_professional_auth_service import ServiceProfessionalAuthService
+from app.auth.schemas.service_professional_auth import (
+    ServiceProfessionalSendOTPRequest,
+    ServiceProfessionalSendOTPResponse,
+    ServiceProfessionalVerifyOTPRequest,
+    ServiceProfessionalAuthResponse
+)
+from app.core.config import settings
+from app.core.logging import get_logger
+
+logger = get_logger(__name__)
+
+router = APIRouter(prefix="/service-professional", tags=["Service Professional Authentication"])
+
+
+@router.post("/send-otp", response_model=ServiceProfessionalSendOTPResponse)
+async def send_service_professional_otp(request: ServiceProfessionalSendOTPRequest):
+    """
+    Send OTP to service professional mobile number for authentication via WhatsApp.
+    
+    **Process:**
+    1. Validates phone number format
+    2. Verifies service professional exists with this phone in scm_service_professionals collection
+    3. Validates professional is active
+    4. Generates random 6-digit OTP
+    5. Sends OTP via WATI WhatsApp API
+    6. Stores OTP in Redis with 5-minute expiration
+    
+    **Security:**
+    - Only allows active service professionals
+    - OTP expires in 5 minutes
+    - Maximum 3 verification attempts
+    - One-time use only
+    
+    **Request Body:**
+    - **phone**: Service professional mobile number (e.g., +919999999999)
+    
+    **Response:**
+    - **success**: Whether OTP was sent successfully
+    - **message**: Response message
+    - **expires_in**: OTP expiration time in seconds (300 = 5 minutes)
+    
+    Raises:
+        HTTPException: 400 - Invalid phone format
+        HTTPException: 404 - Service professional not found
+        HTTPException: 403 - Inactive account
+        HTTPException: 500 - Failed to send OTP
+    """
+    try:
+        service = ServiceProfessionalAuthService()
+        
+        success, message, expires_in = await service.send_otp(request.phone)
+        
+        if not success:
+            # Determine appropriate status code based on message
+            if "not found" in message.lower():
+                status_code = status.HTTP_404_NOT_FOUND
+            elif "inactive" in message.lower() or "suspended" in message.lower():
+                status_code = status.HTTP_403_FORBIDDEN
+            else:
+                status_code = status.HTTP_500_INTERNAL_SERVER_ERROR
+            
+            raise HTTPException(
+                status_code=status_code,
+                detail=message
+            )
+        
+        return ServiceProfessionalSendOTPResponse(
+            success=True,
+            message=message,
+            expires_in=expires_in
+        )
+        
+    except HTTPException:
+        raise
+    except Exception as e:
+        logger.error(f"Unexpected error sending service professional OTP: {str(e)}", exc_info=True)
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="An unexpected error occurred while sending OTP"
+        )
+
+
+@router.post("/verify-otp", response_model=ServiceProfessionalAuthResponse)
+async def verify_service_professional_otp(
+    request: Request,
+    verify_request: ServiceProfessionalVerifyOTPRequest
+):
+    """
+    Verify OTP and authenticate service professional.
+    
+    **Process:**
+    1. Validates phone number and OTP
+    2. Verifies OTP from Redis cache
+    3. Validates professional status
+    4. Generates JWT access token
+    5. Returns authentication response
+    
+    **Security:**
+    - Only allows active service professionals
+    - OTP validation via Redis cache
+    - OTP expires in 5 minutes
+    - Maximum 3 verification attempts
+    - One-time use only
+    - JWT token with merchant context
+    
+    **Request Body:**
+    - **phone**: Service professional mobile number (e.g., +919999999999)
+    - **otp**: 6-digit OTP code received via WhatsApp
+    
+    **Response:**
+    - **access_token**: JWT token for authentication
+    - **token_type**: "bearer"
+    - **expires_in**: Token expiration time in seconds
+    - **professional_info**: Service professional information
+    
+    Raises:
+        HTTPException: 400 - Missing phone or OTP
+        HTTPException: 401 - Invalid OTP or professional not found
+        HTTPException: 403 - Inactive account
+        HTTPException: 429 - Too many attempts
+        HTTPException: 500 - Server error
+    """
+    try:
+        # Validate input
+        if not verify_request.phone or not verify_request.otp:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Phone and OTP are required"
+            )
+        
+        # Verify OTP using ServiceProfessionalAuthService
+        service = ServiceProfessionalAuthService()
+        professional_data, verify_message = await service.verify_otp(
+            verify_request.phone,
+            verify_request.otp
+        )
+        
+        if not professional_data:
+            # Determine appropriate status code based on message
+            if "expired" in verify_message.lower():
+                status_code = status.HTTP_401_UNAUTHORIZED
+            elif "too many attempts" in verify_message.lower():
+                status_code = status.HTTP_429_TOO_MANY_REQUESTS
+            else:
+                status_code = status.HTTP_401_UNAUTHORIZED
+            
+            logger.warning(f"Service professional OTP verification failed for phone: {verify_request.phone}")
+            raise HTTPException(
+                status_code=status_code,
+                detail=verify_message
+            )
+        
+        # Create access token for service professional
+        try:
+            access_token = service.create_professional_token(professional_data)
+            access_token_expires = timedelta(hours=settings.TOKEN_EXPIRATION_HOURS)
+        except Exception as token_error:
+            logger.error(
+                f"Error creating access token for service professional {professional_data['staff_id']}: {token_error}",
+                exc_info=True
+            )
+            raise HTTPException(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                detail="Failed to generate authentication token"
+            )
+        
+        # Prepare professional info response
+        professional_info = {
+            "staff_id": professional_data["staff_id"],
+            "staff_code": professional_data["staff_code"],
+            "name": professional_data["name"],
+            "phone": professional_data["phone"],
+            "email": professional_data.get("email"),
+            "designation": professional_data.get("designation"),
+            "status": professional_data["status"],
+            "user_type": "service_professional"
+        }
+        
+        logger.info(
+            f"Service professional logged in via mobile OTP: {professional_data['staff_code']}",
+            extra={
+                "event": "service_professional_mobile_otp_login",
+                "staff_id": professional_data["staff_id"],
+                "staff_code": professional_data["staff_code"],
+                "phone": verify_request.phone
+            }
+        )
+        
+        return ServiceProfessionalAuthResponse(
+            access_token=access_token,
+            token_type="bearer",
+            expires_in=int(access_token_expires.total_seconds()),
+            professional_info=professional_info
+        )
+        
+    except HTTPException:
+        raise
+    except Exception as e:
+        logger.error(f"Unexpected error in service professional OTP verification: {str(e)}", exc_info=True)
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="An unexpected error occurred during authentication"
+        )
+
+
+@router.post("/logout")
+async def logout_service_professional(request: Request):
+    """
+    Logout current service professional.
+    
+    **Process:**
+    - Records logout event for audit purposes
+    - Returns success confirmation
+    
+    **Note:** Since we're using stateless JWT tokens, the client is responsible for:
+    - Removing the token from local storage
+    - Clearing any cached professional data
+    - Redirecting to login screen
+    
+    **Security:**
+    - Logs logout event with professional information
+    - Provides audit trail for professional sessions
+    
+    Returns:
+        Success message
+    """
+    try:
+        # Get client information for audit logging
+        client_ip = request.client.host if request.client else None
+        user_agent = request.headers.get("User-Agent")
+        
+        logger.info(
+            "Service professional logged out",
+            extra={
+                "event": "service_professional_logout",
+                "ip_address": client_ip,
+                "user_agent": user_agent
+            }
+        )
+        
+        return {
+            "success": True,
+            "message": "Service professional logged out successfully"
+        }
+        
+    except Exception as e:
+        logger.error(f"Error during service professional logout: {str(e)}", exc_info=True)
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="An unexpected error occurred during logout"
+        )

app/auth/schemas/service_professional_auth.py

@@ -0,0 +1,56 @@
+"""
+Service Professional authentication schemas for OTP-based login.
+Service professionals include spa staff, salon staff, beauticians, therapists, etc.
+"""
+from typing import Optional
+from pydantic import BaseModel, Field, field_validator
+import re
+
+PHONE_REGEX = re.compile(r"^\+?[0-9\-\s]{8,20}$")
+
+
+class ServiceProfessionalSendOTPRequest(BaseModel):
+    """Request schema for sending OTP to service professional."""
+    phone: str = Field(..., min_length=8, max_length=20, description="Service professional mobile number with country code")
+
+    @field_validator("phone")
+    @classmethod
+    def validate_phone(cls, v: str) -> str:
+        if not PHONE_REGEX.match(v):
+            raise ValueError("Invalid phone number format; use international format like +919999999999")
+        return v
+
+
+class ServiceProfessionalVerifyOTPRequest(BaseModel):
+    """Request schema for verifying service professional OTP."""
+    phone: str = Field(..., min_length=8, max_length=20, description="Service professional mobile number with country code")
+    otp: str = Field(..., min_length=4, max_length=6, description="OTP code")
+
+    @field_validator("phone")
+    @classmethod
+    def validate_phone(cls, v: str) -> str:
+        if not PHONE_REGEX.match(v):
+            raise ValueError("Invalid phone number format; use international format like +919999999999")
+        return v
+
+    @field_validator("otp")
+    @classmethod
+    def validate_otp(cls, v: str) -> str:
+        if not v.isdigit():
+            raise ValueError("OTP must contain only digits")
+        return v
+
+
+class ServiceProfessionalSendOTPResponse(BaseModel):
+    """Response schema for service professional OTP send request."""
+    success: bool = Field(..., description="Whether OTP was sent successfully")
+    message: str = Field(..., description="Response message")
+    expires_in: int = Field(..., description="OTP expiration time in seconds")
+
+
+class ServiceProfessionalAuthResponse(BaseModel):
+    """Response schema for successful service professional authentication."""
+    access_token: str = Field(..., description="JWT access token")
+    token_type: str = Field(default="bearer", description="Token type")
+    expires_in: int = Field(..., description="Token expiration time in seconds")
+    professional_info: dict = Field(..., description="Service professional information")

app/auth/services/service_professional_auth_service.py

@@ -0,0 +1,300 @@
+"""
+Service Professional authentication service for OTP-based login via WhatsApp.
+Handles authentication for spa staff, salon staff, beauticians, therapists, etc.
+"""
+import secrets
+from datetime import datetime, timedelta
+from typing import Optional, Tuple, Dict, Any
+from motor.motor_asyncio import AsyncIOMotorDatabase
+
+from app.core.config import settings
+from app.core.logging import get_logger
+from app.nosql import get_database
+from app.cache import cache_service
+from app.auth.services.wati_service import WatiService
+
+logger = get_logger(__name__)
+
+
+class ServiceProfessionalAuthService:
+    """Service for service professional OTP authentication via WhatsApp."""
+    
+    def __init__(self):
+        self.db: AsyncIOMotorDatabase = get_database()
+        self.wati_service = WatiService()
+        self.cache = cache_service
+        # Collection for service professionals
+        self.staff_collection = self.db["scm_service_professionals"]
+    
+    def _normalize_mobile(self, mobile: str) -> str:
+        """
+        Normalize mobile number to consistent format.
+        
+        Args:
+            mobile: Raw mobile number (with or without country code)
+            
+        Returns:
+            Normalized mobile number (with country code)
+        """
+        # Remove all spaces and dashes
+        clean_mobile = mobile.replace(" ", "").replace("-", "")
+        
+        # If it doesn't start with +, add +91 (India country code)
+        if not clean_mobile.startswith("+"):
+            if clean_mobile.startswith("91") and len(clean_mobile) == 12:
+                # Already has country code but no +
+                clean_mobile = "+" + clean_mobile
+            elif len(clean_mobile) == 10:
+                # Indian mobile number without country code
+                clean_mobile = "+91" + clean_mobile
+            else:
+                # Assume it needs +91 prefix
+                clean_mobile = "+91" + clean_mobile
+        
+        return clean_mobile
+    
+    async def get_professional_by_phone(self, phone: str) -> Optional[Dict[str, Any]]:
+        """
+        Get service professional by phone number from scm_service_professionals collection.
+        
+        Args:
+            phone: Normalized phone number
+            
+        Returns:
+            Service professional document or None
+        """
+        try:
+            professional = await self.staff_collection.find_one({"phone": phone})
+            return professional
+        except Exception as e:
+            logger.error(f"Error fetching service professional by phone {phone}: {str(e)}", exc_info=True)
+            return None
+    
+    async def send_otp(self, phone: str) -> Tuple[bool, str, int]:
+        """
+        Send OTP to service professional mobile number via WATI WhatsApp API.
+        
+        Args:
+            phone: Service professional mobile number
+            
+        Returns:
+            Tuple of (success, message, expires_in_seconds)
+        """
+        try:
+            # Normalize mobile number
+            normalized_phone = self._normalize_mobile(phone)
+            
+            # Verify service professional exists with this phone number
+            professional = await self.get_professional_by_phone(normalized_phone)
+            
+            if not professional:
+                logger.warning(f"Service professional OTP request for non-existent phone: {normalized_phone}")
+                return False, "Service professional not found for this phone number", 0
+            
+            # Check professional status
+            professional_status = professional.get("status", "").lower()
+            if professional_status != "active":
+                logger.warning(
+                    f"Inactive service professional attempted OTP: {professional.get('staff_code')}, "
+                    f"status: {professional_status}"
+                )
+                return False, f"Service professional account is {professional_status}", 0
+            
+            # Generate 6-digit OTP
+            otp = str(secrets.randbelow(900000) + 100000)
+            
+            # Set expiration (5 minutes)
+            expiry_minutes = 5
+            expires_at = datetime.utcnow() + timedelta(minutes=expiry_minutes)
+            expires_in = expiry_minutes * 60  # Convert to seconds
+            
+            # Store OTP in Redis FIRST (before attempting to send)
+            otp_data = {
+                "phone": normalized_phone,
+                "staff_id": professional.get("staff_id"),
+                "staff_code": professional.get("staff_code"),
+                "otp": otp,
+                "created_at": datetime.utcnow().isoformat(),
+                "expires_at": expires_at.isoformat(),
+                "attempts": 0,
+                "verified": False,
+                "wati_message_id": None,
+                "delivery_status": "pending"
+            }
+            
+            # Store in Redis with TTL
+            redis_key = f"service_professional_otp:{normalized_phone}"
+            await self.cache.set(redis_key, otp_data, ttl=expires_in)
+            
+            logger.info(
+                f"Service professional OTP generated and stored in Redis for {normalized_phone} "
+                f"(staff: {professional.get('staff_code')}), expires in {expires_in}s"
+            )
+            
+            # Attempt to send OTP via WATI WhatsApp API
+            wati_success, wati_message, message_id = await self.wati_service.send_otp_message(
+                mobile=normalized_phone,
+                otp=otp,
+                expiry_minutes=expiry_minutes,
+                template_name=settings.WATI_STAFF_OTP_TEMPLATE_NAME
+            )
+            
+            if wati_success:
+                # Update OTP data with WATI message ID and delivery status
+                otp_data["wati_message_id"] = message_id
+                otp_data["delivery_status"] = "sent"
+                await self.cache.set(redis_key, otp_data, ttl=expires_in)
+                
+                logger.info(
+                    f"Service professional OTP sent successfully via WATI to {normalized_phone} "
+                    f"for staff {professional.get('staff_code')}. Message ID: {message_id}"
+                )
+                return True, "OTP sent successfully via WhatsApp", expires_in
+            else:
+                # WhatsApp sending failed, but OTP is still in Redis for verification
+                otp_data["delivery_status"] = "failed"
+                otp_data["delivery_error"] = wati_message
+                await self.cache.set(redis_key, otp_data, ttl=expires_in)
+                
+                logger.warning(
+                    f"WhatsApp delivery failed for service professional {normalized_phone} "
+                    f"(staff: {professional.get('staff_code')}), but OTP is cached in Redis. Error: {wati_message}"
+                )
+                return True, "OTP generated (WhatsApp delivery pending). Please use the OTP if received.", expires_in
+            
+        except Exception as e:
+            logger.error(f"Error sending service professional OTP to {phone}: {str(e)}", exc_info=True)
+            return False, "Failed to send OTP", 0
+    
+    async def verify_otp(self, phone: str, otp: str) -> Tuple[Optional[Dict[str, Any]], str]:
+        """
+        Verify OTP and authenticate service professional.
+        
+        Args:
+            phone: Service professional mobile number
+            otp: OTP code to verify
+            
+        Returns:
+            Tuple of (professional_data, message)
+        """
+        try:
+            # Normalize mobile number
+            normalized_phone = self._normalize_mobile(phone)
+            
+            # Get OTP from Redis
+            redis_key = f"service_professional_otp:{normalized_phone}"
+            otp_data = await self.cache.get(redis_key)
+            
+            if not otp_data:
+                logger.warning(f"Service professional OTP verification failed - no OTP found in Redis for {normalized_phone}")
+                return None, "Invalid OTP or OTP has expired"
+            
+            # Check if OTP is expired
+            expires_at = datetime.fromisoformat(otp_data["expires_at"])
+            if datetime.utcnow() > expires_at:
+                logger.warning(f"Service professional OTP verification failed - expired OTP for {normalized_phone}")
+                await self.cache.delete(redis_key)
+                return None, "OTP has expired"
+            
+            # Check if already verified
+            if otp_data.get("verified", False):
+                logger.warning(f"Service professional OTP verification failed - already used OTP for {normalized_phone}")
+                return None, "OTP has already been used"
+            
+            # Increment attempts
+            attempts = otp_data.get("attempts", 0) + 1
+            
+            # Check max attempts (3 attempts allowed)
+            if attempts > 3:
+                logger.warning(f"Service professional OTP verification failed - too many attempts for {normalized_phone}")
+                await self.cache.delete(redis_key)
+                return None, "Too many attempts. Please request a new OTP"
+            
+            # Update attempts in Redis
+            otp_data["attempts"] = attempts
+            remaining_ttl = int((expires_at - datetime.utcnow()).total_seconds())
+            if remaining_ttl > 0:
+                await self.cache.set(redis_key, otp_data, ttl=remaining_ttl)
+            
+            # Verify OTP
+            if otp_data["otp"] != otp:
+                logger.warning(f"Service professional OTP verification failed - incorrect OTP for {normalized_phone}")
+                return None, "Invalid OTP"
+            
+            # Delete OTP from Redis (one-time use)
+            await self.cache.delete(redis_key)
+            
+            # Get service professional
+            professional = await self.get_professional_by_phone(normalized_phone)
+            
+            if not professional:
+                logger.error(f"Service professional not found after OTP verification: {normalized_phone}")
+                return None, "Service professional not found"
+            
+            # Verify professional is still active
+            professional_status = professional.get("status", "").lower()
+            if professional_status != "active":
+                logger.warning(f"Inactive service professional verified OTP: {professional.get('staff_code')}")
+                return None, f"Service professional account is {professional_status}"
+            
+            # Prepare professional data for token generation
+            professional_data = {
+                "staff_id": professional.get("staff_id"),
+                "staff_code": professional.get("staff_code"),
+                "name": professional.get("name"),
+                "phone": professional.get("phone"),
+                "email": professional.get("email"),
+                "designation": professional.get("designation"),
+                "status": professional.get("status"),
+                "user_type": "service_professional"
+            }
+            
+            logger.info(
+                f"Service professional OTP verified successfully for {normalized_phone}, "
+                f"staff: {professional.get('staff_code')}"
+            )
+            return professional_data, "OTP verified successfully"
+            
+        except Exception as e:
+            logger.error(f"Error verifying service professional OTP for {phone}: {str(e)}", exc_info=True)
+            return None, "Failed to verify OTP"
+    
+    def create_professional_token(self, professional_data: Dict[str, Any]) -> str:
+        """
+        Create JWT token for service professional.
+        
+        Args:
+            professional_data: Service professional information
+            
+        Returns:
+            JWT access token
+        """
+        try:
+            from jose import jwt
+            from datetime import datetime, timedelta
+            
+            # Token expiration
+            expires_delta = timedelta(hours=settings.TOKEN_EXPIRATION_HOURS)
+            expire = datetime.utcnow() + expires_delta
+            
+            # Token payload
+            token_data = {
+                "sub": professional_data["staff_id"],
+                "staff_code": professional_data["staff_code"],
+                "user_type": "service_professional",
+                "exp": expire,
+                "iat": datetime.utcnow()
+            }
+            
+            # Create JWT token
+            encoded_jwt = jwt.encode(
+                token_data,
+                settings.SECRET_KEY,
+                algorithm=settings.ALGORITHM
+            )
+            
+            return encoded_jwt
+            
+        except Exception as e:
+            logger.error(f"Error creating service professional token: {str(e)}", exc_info=True)
+            raise

app/main.py

@@ -19,6 +19,7 @@ from app.system_users.controllers.router import router as system_user_router
 from app.auth.controllers.router import router as auth_router
 from app.auth.controllers.staff_router import router as staff_router
 from app.auth.controllers.customer_router import router as customer_router
+from app.auth.controllers.service_professional_router import router as service_professional_router
 from app.internal.router import router as internal_router
 
 # Setup logging
@@ -349,11 +350,12 @@ async def check_db_status():
 
 
 # Include routers with new organization
-app.include_router(auth_router)          # /auth/* - Core authentication endpoints
-app.include_router(staff_router)         # /staff/* - Staff authentication (mobile OTP)
-app.include_router(customer_router)      # /customer/* - Customer authentication (OTP)
-app.include_router(system_user_router)   # /users/* - User management endpoints
-app.include_router(internal_router)      # /internal/* - Internal API endpoints
+app.include_router(auth_router)                    # /auth/* - Core authentication endpoints
+app.include_router(staff_router)                   # /staff/* - Staff authentication (mobile OTP)
+app.include_router(customer_router)                # /customer/* - Customer authentication (OTP)
+app.include_router(service_professional_router)    # /service-professional/* - Service professional authentication (OTP)
+app.include_router(system_user_router)             # /users/* - User management endpoints
+app.include_router(internal_router)                # /internal/* - Internal API endpoints
 
 
 if __name__ == "__main__":