Morioh
Login
Bongani Ngema

Bongani Ngema

2 years ago

OTP microservice

About OTP

One-time password (OTP) systems provide a mechanism for logging on to a network or service using a unique password that can only be used once.

Since the one-time passwords is valid for only a single-use, they are not vulnerable as static passwords and cannot be reused a second time by anyone, including unauthorized persons and thus avoiding the threat of pin code theft.

Problem in conventional OTP services:

In the conventional OTP service, the OTP is stored in a database along with the email or phone number for which it was used. Now, if the OTP service’s database is attacked by an attacker then the security of those applications which this type of OTP service serves might become at risk as the attacker could easily add an entry of OTP against any email or phone number in the database. Also, they can easily access the list of emails and phone numbers of many users thereby making the users at risk of attack.

Solution

To solve this problem the OTP can be stored in the database without can be email or phone number. We just need to store the OTP, expiration time and boolean field to mark the OTP verified or used. In this way, we can make the verification to be stateless by sending a unique and encrypted verification key when OTP is requested and send the OTP directly to the recipient. And when we need to verify the OTP we just need to have the OTP and verification key in the request body and the verification key will be decrypted and if it will be able to verify the OTP then it will return success otherwise if either OTP or verification key is altered then the service will return an error in the response. Thereby making the service secure and scalable.

Let’s Begin

Let’s first initialize the node project using npm init.

Final Folder Structure will look like this :

├───.env
├───.gitignore
├───app.js
├───package-lock.json
├───package.json
├───sequelize.js
├───middlewares
│    └───crypt.js
├───models
│    └───OTP.js
├───routes
│    ├───sendOTP_to_email.js
│    ├───sendOTP_to_phone.js
│    └───verifyOTP.js
└───templates
     ├───email
     │    ├───forget.js
     │    └───verification.js
     └───sms
          ├───forget.js
          └───verification.js

#nodejs #javascript #microservices #node

How to Make A Scalable OTP Service

medium.com

How to Make A Scalable OTP Service

It is an API that implements a OTP service in a scalable manner. In this, we do not need to store OTP with email or phone numbers. Learn How to make a scalable OTP service. In the conventional OTP service, the OTP is stored in a database along with the email or phone number for which it was used.

1.95 GEEK