Cleaner Web App

Cleaner app login (OTP via WhatsApp)

Cleaners often don't have a tenant email and shouldn't need a password. Login is phone-OTP via the existing WhatsApp bot.

Flow

  1. Operator dispatches the walkthrough (Send "Open cleaning app" action on the task).
  2. The WhatsApp bot sends the cleaner two messages: - A deep link: Open cleaning app: https://app.flatsbratislava.com/c/<token> - A 6-digit code: Your code: 482917
  3. Cleaner taps the link → app opens to the OTP screen.
  4. Cleaner enters the 6 digits → app validates → 30-day session cookie issued.
  5. App lands on the checklist for the dispatched task.

Subsequent walkthroughs

While the 30-day cookie is alive, subsequent walkthroughs auto-resume — the cleaner taps the new deep link, the cookie validates, the new task's checklist opens. No re-entry of OTP.

After 30 days OR if the cleaner clears cookies, the OTP flow runs again on the next dispatch.

What's stored

  • Phone number → teammates row matched at OTP time.
  • Session cookie (HttpOnly, Secure) — 30-day expiry, refreshed on use.
  • No password.
  • No email required.

What if OTP fails

  • Wrong code — "Code doesn't match. Try again or ask the operator to re-send."
  • Code expired (older than 10 minutes) — "Code expired. Ask the operator to re-send."
  • Token expired (link reused after token TTL) — "This link is no longer valid. Ask the operator for a new one."

In all cases, the operator can re-trigger the dispatch action; a fresh link + code go out.

Browser floor

Works on Chromium ≥ 80 and Safari ≥ 13. Older browsers see a polyfill warning and a static "please update your browser" page.


Implements: gh#524 Slice 1 (backend OTP auth).

Source: the FlatsBratislava operator manual.