Cleaner Web App
Cleaner app login (OTP via WhatsApp)
Cleaners often don't have a tenant email and shouldn't need a password. Login is phone-OTP via the existing WhatsApp bot.
Flow
- Operator dispatches the walkthrough (Send "Open cleaning app" action on the task).
- The WhatsApp bot sends the cleaner two messages:
- A deep link:
Open cleaning app: https://app.flatsbratislava.com/c/<token>- A 6-digit code:Your code: 482917 - Cleaner taps the link → app opens to the OTP screen.
- Cleaner enters the 6 digits → app validates → 30-day session cookie issued.
- App lands on the checklist for the dispatched task.
Subsequent walkthroughs
While the 30-day cookie is alive, subsequent walkthroughs auto-resume — the cleaner taps the new deep link, the cookie validates, the new task's checklist opens. No re-entry of OTP.
After 30 days OR if the cleaner clears cookies, the OTP flow runs again on the next dispatch.
What's stored
- Phone number →
teammatesrow matched at OTP time. - Session cookie (HttpOnly, Secure) — 30-day expiry, refreshed on use.
- No password.
- No email required.
What if OTP fails
- Wrong code — "Code doesn't match. Try again or ask the operator to re-send."
- Code expired (older than 10 minutes) — "Code expired. Ask the operator to re-send."
- Token expired (link reused after token TTL) — "This link is no longer valid. Ask the operator for a new one."
In all cases, the operator can re-trigger the dispatch action; a fresh link + code go out.
Browser floor
Works on Chromium ≥ 80 and Safari ≥ 13. Older browsers see a polyfill warning and a static "please update your browser" page.
Implements: gh#524 Slice 1 (backend OTP auth).
Source: the FlatsBratislava operator manual.