square-authentication 6.2.2__py3-none-any.whl → 7.0.0__py3-none-any.whl

square_authentication/routes/core.py

@@ -1,5 +1,7 @@
 import copy
+import random
 import re
+import uuid
 from datetime import datetime, timedelta, timezone
 from typing import Annotated, List
 
@@ -9,11 +11,15 @@ from fastapi import APIRouter, Header, HTTPException, status
 from fastapi.params import Query
 from fastapi.responses import JSONResponse
 from requests import HTTPError
-from square_commons import get_api_output_in_standard_format
+from square_commons import get_api_output_in_standard_format, send_email_using_mailgun
 from square_database_helper.pydantic_models import FilterConditionsV0, FiltersV0
 from square_database_structure.square import global_string_database_name
 from square_database_structure.square.authentication import global_string_schema_name
-from square_database_structure.square.authentication.enums import RecoveryMethodEnum
+from square_database_structure.square.authentication.enums import (
+    RecoveryMethodEnum,
+    AuthProviderEnum,
+    VerificationCodeTypeEnum,
+)
 from square_database_structure.square.authentication.tables import (
     User,
     UserApp,
@@ -21,7 +27,14 @@ from square_database_structure.square.authentication.tables import (
     UserSession,
     UserProfile,
     UserRecoveryMethod,
+    UserAuthProvider,
+    UserVerificationCode,
+)
+from square_database_structure.square.email import (
+    global_string_schema_name as email_schema_name,
 )
+from square_database_structure.square.email.enums import EmailTypeEnum, EmailStatusEnum
+from square_database_structure.square.email.tables import EmailLog
 from square_database_structure.square.public import (
     global_string_schema_name as global_string_public_schema_name,
 )
@@ -34,6 +47,7 @@ from square_authentication.configuration import (
     config_str_secret_key_for_refresh_token,
     global_object_square_logger,
     global_object_square_database_helper,
+    MAIL_GUN_API_KEY,
 )
 from square_authentication.messages import messages
 from square_authentication.pydantic_models.core import (
@@ -43,6 +57,8 @@ from square_authentication.pydantic_models.core import (
     RegisterUsernameV0,
     TokenType,
     UpdatePasswordV0,
+    ResetPasswordAndLoginUsingBackupCodeV0,
+    SendResetPasswordEmailV0,
 )
 from square_authentication.utils.token import get_jwt_payload
 
@@ -86,13 +102,9 @@ async def register_username_v0(
             global_object_square_database_helper.get_rows_v0(
                 database_name=global_string_database_name,
                 schema_name=global_string_schema_name,
-                table_name=UserProfile.__tablename__,
+                table_name=User.__tablename__,
                 filters=FiltersV0(
-                    root={
-                        UserProfile.user_profile_username.name: FilterConditionsV0(
-                            eq=username
-                        )
-                    }
+                    root={User.user_username.name: FilterConditionsV0(eq=username)}
                 ),
             )["data"]["main"]
         )
@@ -111,13 +123,47 @@ async def register_username_v0(
         """
         # entry in user table
         local_list_response_user = global_object_square_database_helper.insert_rows_v0(
-            data=[{}],
+            data=[
+                {
+                    User.user_username.name: username,
+                }
+            ],
             database_name=global_string_database_name,
             schema_name=global_string_schema_name,
             table_name=User.__tablename__,
         )["data"]["main"]
         local_str_user_id = local_list_response_user[0][User.user_id.name]
 
+        # entry in user auth provider table
+        local_list_response_user_auth_provider = global_object_square_database_helper.insert_rows_v0(
+            data=[
+                {
+                    UserAuthProvider.user_id.name: local_str_user_id,
+                    UserAuthProvider.auth_provider.name: AuthProviderEnum.SELF.value,
+                }
+            ],
+            database_name=global_string_database_name,
+            schema_name=global_string_schema_name,
+            table_name=UserAuthProvider.__tablename__,
+        )[
+            "data"
+        ][
+            "main"
+        ]
+        local_str_user_id = local_list_response_user[0][User.user_id.name]
+
+        # entry in user profile table
+        global_object_square_database_helper.insert_rows_v0(
+            database_name=global_string_database_name,
+            schema_name=global_string_schema_name,
+            table_name=UserProfile.__tablename__,
+            data=[
+                {
+                    UserProfile.user_id.name: local_str_user_id,
+                }
+            ],
+        )
+
         # entry in credential table
 
         # hash password
@@ -136,17 +182,6 @@ async def register_username_v0(
             schema_name=global_string_schema_name,
             table_name=UserCredential.__tablename__,
         )
-        global_object_square_database_helper.insert_rows_v0(
-            data=[
-                {
-                    UserProfile.user_id.name: local_str_user_id,
-                    UserProfile.user_profile_username.name: username,
-                }
-            ],
-            database_name=global_string_database_name,
-            schema_name=global_string_schema_name,
-            table_name=UserProfile.__tablename__,
-        )
         if app_id is not None:
             # assign app to user
             global_object_square_database_helper.insert_rows_v0(
@@ -552,29 +587,52 @@ async def login_username_v0(body: LoginUsernameV0):
         validation
         """
         # validation for username
-        local_list_response_user_profile = (
+        # check if user with username exists
+        local_list_response_user = global_object_square_database_helper.get_rows_v0(
+            database_name=global_string_database_name,
+            schema_name=global_string_schema_name,
+            table_name=User.__tablename__,
+            filters=FiltersV0(
+                root={User.user_username.name: FilterConditionsV0(eq=username)}
+            ),
+        )["data"]["main"]
+        if len(local_list_response_user) != 1:
+            output_content = get_api_output_in_standard_format(
+                message=messages["INCORRECT_USERNAME"],
+                log=f"incorrect username {username}",
+            )
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=output_content,
+            )
+        # check if user has auth provider as SELF
+        local_list_user_auth_provider_response = (
             global_object_square_database_helper.get_rows_v0(
                 database_name=global_string_database_name,
                 schema_name=global_string_schema_name,
-                table_name=UserProfile.__tablename__,
+                table_name=UserAuthProvider.__tablename__,
                 filters=FiltersV0(
                     root={
-                        UserProfile.user_profile_username.name: FilterConditionsV0(
-                            eq=username
-                        )
+                        UserAuthProvider.user_id.name: FilterConditionsV0(
+                            eq=local_list_response_user[0][User.user_id.name]
+                        ),
+                        UserAuthProvider.auth_provider.name: FilterConditionsV0(
+                            eq=AuthProviderEnum.SELF.value
+                        ),
                     }
                 ),
             )["data"]["main"]
         )
-        if len(local_list_response_user_profile) != 1:
+        if len(local_list_user_auth_provider_response) != 1:
             output_content = get_api_output_in_standard_format(
-                message=messages["INCORRECT_USERNAME"],
-                log=f"incorrect username {username}",
+                message=messages["INCORRECT_AUTH_PROVIDER"],
+                log=f"{username} not linked with {AuthProviderEnum.SELF.value} auth provider.",
             )
             raise HTTPException(
                 status_code=status.HTTP_400_BAD_REQUEST,
                 detail=output_content,
             )
+        # check if user has credentials (might not be set in case of errors in registration.)
         local_list_authentication_user_response = (
             global_object_square_database_helper.get_rows_v0(
                 database_name=global_string_database_name,
@@ -583,9 +641,7 @@ async def login_username_v0(body: LoginUsernameV0):
                 filters=FiltersV0(
                     root={
                         UserCredential.user_id.name: FilterConditionsV0(
-                            eq=local_list_response_user_profile[0][
-                                UserProfile.user_id.name
-                            ]
+                            eq=local_list_response_user[0][User.user_id.name]
                         )
                     }
                 ),
@@ -1155,12 +1211,10 @@ async def update_username_v0(
             global_object_square_database_helper.get_rows_v0(
                 database_name=global_string_database_name,
                 schema_name=global_string_schema_name,
-                table_name=UserProfile.__tablename__,
+                table_name=User.__tablename__,
                 filters=FiltersV0(
                     root={
-                        UserProfile.user_profile_username.name: FilterConditionsV0(
-                            eq=new_username
-                        ),
+                        User.user_username.name: FilterConditionsV0(eq=new_username),
                     }
                 ),
             )["data"]["main"]
@@ -1181,14 +1235,14 @@ async def update_username_v0(
         global_object_square_database_helper.edit_rows_v0(
             database_name=global_string_database_name,
             schema_name=global_string_schema_name,
-            table_name=UserProfile.__tablename__,
+            table_name=User.__tablename__,
             filters=FiltersV0(
                 root={
-                    UserProfile.user_id.name: FilterConditionsV0(eq=user_id),
+                    User.user_id.name: FilterConditionsV0(eq=user_id),
                 }
             ),
             data={
-                UserProfile.user_profile_username.name: new_username,
+                User.user_username.name: new_username,
             },
         )
         """
@@ -1218,7 +1272,7 @@ async def update_username_v0(
         )
 
 
-@router.delete("/delete_user/v0")
+@router.post("/delete_user/v0")
 @global_object_square_logger.auto_logger()
 async def delete_user_v0(
     body: DeleteUserV0,
@@ -1393,7 +1447,7 @@ async def update_password_v0(
         """
         main process
         """
-        # delete the user.
+        # update the password
         local_str_hashed_password = bcrypt.hashpw(
             new_password.encode("utf-8"), bcrypt.gensalt()
         ).decode("utf-8")
@@ -1581,7 +1635,44 @@ async def update_user_recovery_methods_v0(
                 status_code=status.HTTP_400_BAD_REQUEST,
                 detail=output_content,
             )
-
+        # check if user's email is verified in user profile.
+        # maybe too harsh to reject the request entirely,
+        # but for practical purposes this api call should be used for 1 recovery method at a time, so it's not too bad.
+        if RecoveryMethodEnum.EMAIL.value in recovery_methods_to_add:
+            local_list_response_user_profile = (
+                global_object_square_database_helper.get_rows_v0(
+                    database_name=global_string_database_name,
+                    schema_name=global_string_schema_name,
+                    table_name=UserProfile.__tablename__,
+                    filters=FiltersV0(
+                        root={
+                            UserProfile.user_id.name: FilterConditionsV0(eq=user_id),
+                        }
+                    ),
+                )["data"]["main"]
+            )
+            if len(local_list_response_user_profile) != 1:
+                # maybe this should raise 500 as this error will not occur if code runs correctly.
+                output_content = get_api_output_in_standard_format(
+                    message=messages["GENERIC_400"],
+                    log=f"user_id: {user_id} does not have a profile.",
+                )
+                raise HTTPException(
+                    status_code=status.HTTP_400_BAD_REQUEST,
+                    detail=output_content,
+                )
+            local_dict_user_profile = local_list_response_user_profile[0]
+            if not local_dict_user_profile[
+                UserProfile.user_profile_email_verified.name
+            ]:
+                output_content = get_api_output_in_standard_format(
+                    message=messages["EMAIL_NOT_VERIFIED"],
+                    log=f"user_id: {user_id} does not have email verified.",
+                )
+                raise HTTPException(
+                    status_code=status.HTTP_400_BAD_REQUEST,
+                    detail=output_content,
+                )
         """
         main process
         """
@@ -1680,3 +1771,544 @@ async def update_user_recovery_methods_v0(
             status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
             content=output_content,
         )
+
+
+@router.post("/generate_account_backup_codes/v0")
+@global_object_square_logger.auto_logger()
+async def generate_account_backup_codes_v0(
+    access_token: Annotated[str, Header()],
+):
+
+    try:
+        """
+        validation
+        """
+        try:
+            local_dict_access_token_payload = get_jwt_payload(
+                access_token, config_str_secret_key_for_access_token
+            )
+        except Exception as error:
+            output_content = get_api_output_in_standard_format(
+                message=messages["INCORRECT_ACCESS_TOKEN"], log=str(error)
+            )
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=output_content,
+            )
+        user_id = local_dict_access_token_payload["user_id"]
+        # check if user has recovery method enabled
+        local_list_response_user_recovery_methods = global_object_square_database_helper.get_rows_v0(
+            database_name=global_string_database_name,
+            schema_name=global_string_schema_name,
+            table_name=UserRecoveryMethod.__tablename__,
+            filters=FiltersV0(
+                root={
+                    UserRecoveryMethod.user_id.name: FilterConditionsV0(eq=user_id),
+                    UserRecoveryMethod.user_recovery_method_name.name: FilterConditionsV0(
+                        eq=RecoveryMethodEnum.BACKUP_CODE.value
+                    ),
+                }
+            ),
+        )[
+            "data"
+        ][
+            "main"
+        ]
+        if len(local_list_response_user_recovery_methods) != 1:
+            output_content = get_api_output_in_standard_format(
+                message=messages["RECOVERY_METHOD_NOT_ENABLED"],
+                log=f"user_id: {user_id} does not have backup codes recovery method enabled.",
+            )
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=output_content,
+            )
+        """
+        main process
+        """
+        # generate backup codes
+        backup_codes = []
+        db_data = []
+
+        for i in range(10):
+            backup_code = str(uuid.uuid4())
+            backup_codes.append(backup_code)
+            # hash the backup code
+            local_str_hashed_backup_code = bcrypt.hashpw(
+                backup_code.encode("utf-8"), bcrypt.gensalt()
+            ).decode("utf-8")
+
+            db_data.append(
+                {
+                    UserVerificationCode.user_id.name: user_id,
+                    UserVerificationCode.user_verification_code_type.name: VerificationCodeTypeEnum.BACKUP_CODE_RECOVERY.value,
+                    UserVerificationCode.user_verification_code_hash.name: local_str_hashed_backup_code,
+                }
+            )
+        global_object_square_database_helper.insert_rows_v0(
+            database_name=global_string_database_name,
+            schema_name=global_string_schema_name,
+            table_name=UserVerificationCode.__tablename__,
+            data=db_data,
+        )
+
+        """
+        return value
+        """
+        output_content = get_api_output_in_standard_format(
+            message=messages["GENERIC_CREATION_SUCCESSFUL"],
+            data={
+                "main": {
+                    "user_id": user_id,
+                    "backup_codes": backup_codes,
+                }
+            },
+        )
+        return JSONResponse(status_code=status.HTTP_200_OK, content=output_content)
+    except HTTPException as http_exception:
+        global_object_square_logger.logger.error(http_exception, exc_info=True)
+        return JSONResponse(
+            status_code=http_exception.status_code, content=http_exception.detail
+        )
+    except Exception as e:
+        """
+        rollback logic
+        """
+        global_object_square_logger.logger.error(e, exc_info=True)
+        output_content = get_api_output_in_standard_format(
+            message=messages["GENERIC_500"],
+            log=str(e),
+        )
+        return JSONResponse(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, content=output_content
+        )
+
+
+@router.post("/reset_password_and_login_using_backup_code/v0")
+@global_object_square_logger.auto_logger()
+async def reset_password_and_login_using_backup_code_v0(
+    body: ResetPasswordAndLoginUsingBackupCodeV0,
+):
+    backup_code = body.backup_code
+    username = body.username
+    new_password = body.new_password
+    app_id = body.app_id
+    try:
+        """
+        validation
+        """
+        # validate username
+        local_list_authentication_user_response = (
+            global_object_square_database_helper.get_rows_v0(
+                database_name=global_string_database_name,
+                schema_name=global_string_schema_name,
+                table_name=User.__tablename__,
+                filters=FiltersV0(
+                    root={User.user_username.name: FilterConditionsV0(eq=username)}
+                ),
+            )["data"]["main"]
+        )
+        if len(local_list_authentication_user_response) != 1:
+            output_content = get_api_output_in_standard_format(
+                message=messages["INCORRECT_USERNAME"],
+                log=f"incorrect username: {username}.",
+            )
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=output_content,
+            )
+        user_id = local_list_authentication_user_response[0][User.user_id.name]
+        # check if user has recovery method enabled
+        local_list_response_user_recovery_methods = global_object_square_database_helper.get_rows_v0(
+            database_name=global_string_database_name,
+            schema_name=global_string_schema_name,
+            table_name=UserRecoveryMethod.__tablename__,
+            filters=FiltersV0(
+                root={
+                    UserRecoveryMethod.user_id.name: FilterConditionsV0(eq=user_id),
+                    UserRecoveryMethod.user_recovery_method_name.name: FilterConditionsV0(
+                        eq=RecoveryMethodEnum.BACKUP_CODE.value
+                    ),
+                }
+            ),
+        )[
+            "data"
+        ][
+            "main"
+        ]
+        if len(local_list_response_user_recovery_methods) != 1:
+            output_content = get_api_output_in_standard_format(
+                message=messages["RECOVERY_METHOD_NOT_ENABLED"],
+                log=f"user_id: {user_id} does not have backup codes recovery method enabled.",
+            )
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=output_content,
+            )
+        # validate if user is assigned to the app.
+        # not checking [skipping] if the app exists, as it is not required for this endpoint.
+        local_list_response_user_app = global_object_square_database_helper.get_rows_v0(
+            database_name=global_string_database_name,
+            schema_name=global_string_schema_name,
+            table_name=UserApp.__tablename__,
+            filters=FiltersV0(
+                root={
+                    UserApp.user_id.name: FilterConditionsV0(eq=user_id),
+                    UserApp.app_id.name: FilterConditionsV0(eq=app_id),
+                }
+            ),
+        )["data"]["main"]
+        if len(local_list_response_user_app) == 0:
+            output_content = get_api_output_in_standard_format(
+                message=messages["GENERIC_400"],
+                log=f"user_id: {user_id} is not assigned to app_id: {app_id}.",
+            )
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=output_content,
+            )
+        """
+        main process
+        """
+        # validate backup code
+        local_list_response_user_verification_code = global_object_square_database_helper.get_rows_v0(
+            database_name=global_string_database_name,
+            schema_name=global_string_schema_name,
+            table_name=UserVerificationCode.__tablename__,
+            filters=FiltersV0(
+                root={
+                    UserVerificationCode.user_id.name: FilterConditionsV0(eq=user_id),
+                    UserVerificationCode.user_verification_code_type.name: FilterConditionsV0(
+                        eq=VerificationCodeTypeEnum.BACKUP_CODE_RECOVERY.value
+                    ),
+                    UserVerificationCode.user_verification_code_expires_at.name: FilterConditionsV0(
+                        is_null=True
+                    ),
+                    UserVerificationCode.user_verification_code_used_at.name: FilterConditionsV0(
+                        is_null=True
+                    ),
+                }
+            ),
+            columns=[UserVerificationCode.user_verification_code_hash.name],
+        )[
+            "data"
+        ][
+            "main"
+        ]
+        # find the backup code in the list
+        local_list_response_user_verification_code = [
+            x
+            for x in local_list_response_user_verification_code
+            if bcrypt.checkpw(
+                backup_code.encode("utf-8"),
+                x[UserVerificationCode.user_verification_code_hash.name].encode(
+                    "utf-8"
+                ),
+            )
+        ]
+        if len(local_list_response_user_verification_code) != 1:
+            output_content = get_api_output_in_standard_format(
+                message=messages["INCORRECT_BACKUP_CODE"],
+                log=f"incorrect backup code: {backup_code} for user_id: {user_id}.",
+            )
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=output_content,
+            )
+        # hash the new password
+        local_str_hashed_password = bcrypt.hashpw(
+            new_password.encode("utf-8"), bcrypt.gensalt()
+        ).decode("utf-8")
+        # update the password
+        global_object_square_database_helper.edit_rows_v0(
+            database_name=global_string_database_name,
+            schema_name=global_string_schema_name,
+            table_name=UserCredential.__tablename__,
+            filters=FiltersV0(
+                root={
+                    UserCredential.user_id.name: FilterConditionsV0(eq=user_id),
+                }
+            ),
+            data={
+                UserCredential.user_credential_hashed_password.name: local_str_hashed_password,
+            },
+        )
+        # mark the backup code as used
+        global_object_square_database_helper.edit_rows_v0(
+            database_name=global_string_database_name,
+            schema_name=global_string_schema_name,
+            table_name=UserVerificationCode.__tablename__,
+            filters=FiltersV0(
+                root={
+                    UserVerificationCode.user_id.name: FilterConditionsV0(eq=user_id),
+                    UserVerificationCode.user_verification_code_type.name: FilterConditionsV0(
+                        eq=VerificationCodeTypeEnum.BACKUP_CODE_RECOVERY.value
+                    ),
+                    UserVerificationCode.user_verification_code_hash.name: FilterConditionsV0(
+                        eq=local_list_response_user_verification_code[0][
+                            UserVerificationCode.user_verification_code_hash.name
+                        ]
+                    ),
+                }
+            ),
+            data={
+                UserVerificationCode.user_verification_code_used_at.name: datetime.now(
+                    timezone.utc
+                ).strftime("%Y-%m-%d %H:%M:%S.%f+00"),
+            },
+        )
+        # generate access token and refresh token
+        local_dict_access_token_payload = {
+            "app_id": app_id,
+            "user_id": user_id,
+            "exp": datetime.now(timezone.utc)
+            + timedelta(minutes=config_int_access_token_valid_minutes),
+        }
+        local_str_access_token = jwt.encode(
+            local_dict_access_token_payload, config_str_secret_key_for_access_token
+        )
+        local_object_refresh_token_expiry_time = datetime.now(timezone.utc) + timedelta(
+            minutes=config_int_refresh_token_valid_minutes
+        )
+        local_dict_refresh_token_payload = {
+            "app_id": app_id,
+            "user_id": user_id,
+            "exp": local_object_refresh_token_expiry_time,
+        }
+        local_str_refresh_token = jwt.encode(
+            local_dict_refresh_token_payload, config_str_secret_key_for_refresh_token
+        )
+        # insert the refresh token in the database
+        global_object_square_database_helper.insert_rows_v0(
+            database_name=global_string_database_name,
+            schema_name=global_string_schema_name,
+            table_name=UserSession.__tablename__,
+            data=[
+                {
+                    UserSession.user_id.name: user_id,
+                    UserSession.app_id.name: app_id,
+                    UserSession.user_session_refresh_token.name: local_str_refresh_token,
+                    UserSession.user_session_expiry_time.name: local_object_refresh_token_expiry_time.strftime(
+                        "%Y-%m-%d %H:%M:%S.%f+00"
+                    ),
+                }
+            ],
+        )
+        """
+        return value
+        """
+        output_content = get_api_output_in_standard_format(
+            message=messages["GENERIC_CREATION_SUCCESSFUL"],
+            data={
+                "main": {
+                    "user_id": user_id,
+                    "access_token": local_str_access_token,
+                    "refresh_token": local_str_refresh_token,
+                }
+            },
+        )
+
+        return JSONResponse(status_code=status.HTTP_200_OK, content=output_content)
+    except HTTPException as http_exception:
+        global_object_square_logger.logger.error(http_exception, exc_info=True)
+        return JSONResponse(
+            status_code=http_exception.status_code, content=http_exception.detail
+        )
+    except Exception as e:
+        """
+        rollback logic
+        """
+        global_object_square_logger.logger.error(e, exc_info=True)
+        output_content = get_api_output_in_standard_format(
+            message=messages["GENERIC_500"],
+            log=str(e),
+        )
+        return JSONResponse(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, content=output_content
+        )
+
+
+@router.post("/send_reset_password_email/v0")
+@global_object_square_logger.auto_logger()
+async def send_reset_password_email_v0(
+    body: SendResetPasswordEmailV0,
+):
+    username = body.username
+    app_id = body.app_id
+    try:
+        """
+        validation
+        """
+        # validate username
+        local_list_authentication_user_response = (
+            global_object_square_database_helper.get_rows_v0(
+                database_name=global_string_database_name,
+                schema_name=global_string_schema_name,
+                table_name=User.__tablename__,
+                filters=FiltersV0(
+                    root={User.user_username.name: FilterConditionsV0(eq=username)}
+                ),
+            )["data"]["main"]
+        )
+        if len(local_list_authentication_user_response) != 1:
+            output_content = get_api_output_in_standard_format(
+                message=messages["INCORRECT_USERNAME"],
+                log=f"incorrect username: {username}.",
+            )
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=output_content,
+            )
+        user_id = local_list_authentication_user_response[0][User.user_id.name]
+        # check if user has recovery method enabled
+        local_list_response_user_recovery_methods = global_object_square_database_helper.get_rows_v0(
+            database_name=global_string_database_name,
+            schema_name=global_string_schema_name,
+            table_name=UserRecoveryMethod.__tablename__,
+            filters=FiltersV0(
+                root={
+                    UserRecoveryMethod.user_id.name: FilterConditionsV0(eq=user_id),
+                    UserRecoveryMethod.user_recovery_method_name.name: FilterConditionsV0(
+                        eq=RecoveryMethodEnum.EMAIL.value
+                    ),
+                }
+            ),
+        )[
+            "data"
+        ][
+            "main"
+        ]
+        if len(local_list_response_user_recovery_methods) != 1:
+            output_content = get_api_output_in_standard_format(
+                message=messages["RECOVERY_METHOD_NOT_ENABLED"],
+                log=f"user_id: {user_id} does not have email recovery method enabled.",
+            )
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=output_content,
+            )
+        # validate if user has email in profile
+        user_profile_response = global_object_square_database_helper.get_rows_v0(
+            database_name=global_string_database_name,
+            schema_name=global_string_schema_name,
+            table_name=UserProfile.__tablename__,
+            filters=FiltersV0(
+                root={UserProfile.user_id.name: FilterConditionsV0(eq=user_id)}
+            ),
+            apply_filters=True,
+        )
+        user_profile_data = user_profile_response["data"]["main"][0]
+        if not user_profile_data.get(UserProfile.user_profile_email.name):
+            output_content = get_api_output_in_standard_format(
+                message=messages["GENERIC_MISSING_REQUIRED_FIELD"],
+                log="email is required to send verification email.",
+            )
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=output_content,
+            )
+        # check if email is not verified
+        if not user_profile_data.get(UserProfile.user_profile_email_verified.name):
+            output_content = get_api_output_in_standard_format(
+                message=messages["EMAIL_NOT_VERIFIED"],
+                log="email is not verified.",
+            )
+            return JSONResponse(status_code=status.HTTP_200_OK, content=output_content)
+
+        """
+        main process
+        """
+        # create 6 digit verification code
+        verification_code = random.randint(100000, 999999)
+        # hash the verification code
+        hashed_verification_code = bcrypt.hashpw(
+            str(verification_code).encode("utf-8"), bcrypt.gensalt()
+        ).decode("utf-8")
+        # expire the verification code after 10 minutes
+        expires_at = datetime.now(timezone.utc) + timedelta(minutes=10)
+        # add verification code to UserVerification code table
+        global_object_square_database_helper.insert_rows_v0(
+            database_name=global_string_database_name,
+            schema_name=global_string_schema_name,
+            table_name=UserVerificationCode.__tablename__,
+            data=[
+                {
+                    UserVerificationCode.user_id.name: user_id,
+                    UserVerificationCode.user_verification_code_type.name: VerificationCodeTypeEnum.EMAIL_RECOVERY.value,
+                    UserVerificationCode.user_verification_code_hash.name: hashed_verification_code,
+                    UserVerificationCode.user_verification_code_expires_at.name: expires_at.strftime(
+                        "%Y-%m-%d %H:%M:%S.%f+00"
+                    ),
+                }
+            ],
+        )
+        # send verification email
+        if (
+            user_profile_data[UserProfile.user_profile_first_name.name]
+            and user_profile_data[UserProfile.user_profile_last_name.name]
+        ):
+            user_to_name = f"{user_profile_data[UserProfile.user_profile_first_name.name]} {user_profile_data[UserProfile.user_profile_last_name.name]}"
+        elif user_profile_data[UserProfile.user_profile_first_name.name]:
+            user_to_name = user_profile_data[UserProfile.user_profile_first_name.name]
+        elif user_profile_data[UserProfile.user_profile_last_name.name]:
+            user_to_name = user_profile_data[UserProfile.user_profile_last_name.name]
+        else:
+            user_to_name = ""
+
+        mailgun_response = send_email_using_mailgun(
+            from_email="auth@thepmsquare.com",
+            from_name="square_authentication",
+            to_email=user_profile_data[UserProfile.user_profile_email.name],
+            to_name=user_to_name,
+            subject="Password Reset Verification Code",
+            body=f"Your Password Reset verification code is {verification_code}. It will expire in 10 minutes.",
+            api_key=MAIL_GUN_API_KEY,
+            domain_name="thepmsquare.com",
+        )
+        # add log for email sending
+        global_object_square_database_helper.insert_rows_v0(
+            database_name=global_string_database_name,
+            schema_name=email_schema_name,
+            table_name=EmailLog.__tablename__,
+            data=[
+                {
+                    EmailLog.user_id.name: user_id,
+                    EmailLog.recipient_email.name: user_profile_data[
+                        UserProfile.user_profile_email.name
+                    ],
+                    EmailLog.email_type.name: EmailTypeEnum.VERIFY_EMAIL.value,
+                    EmailLog.status.name: EmailStatusEnum.SENT.value,
+                    EmailLog.third_party_message_id.name: mailgun_response.get("id"),
+                }
+            ],
+        )
+        """
+        return value
+        """
+        output_content = get_api_output_in_standard_format(
+            data={
+                "expires_at": expires_at.isoformat(),
+            },
+            message=messages["GENERIC_ACTION_SUCCESSFUL"],
+        )
+        return JSONResponse(
+            status_code=status.HTTP_200_OK,
+            content=output_content,
+        )
+    except HTTPException as http_exception:
+        global_object_square_logger.logger.error(http_exception, exc_info=True)
+        return JSONResponse(
+            status_code=http_exception.status_code, content=http_exception.detail
+        )
+    except Exception as e:
+        """
+        rollback logic
+        """
+        global_object_square_logger.logger.error(e, exc_info=True)
+        output_content = get_api_output_in_standard_format(
+            message=messages["GENERIC_500"],
+            log=str(e),
+        )
+        return JSONResponse(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, content=output_content
+        )