Discard session token after n failed attempts

CuriousLearner / django-phone-verify

A Django app to support phone number verification using security code / One-Time-Password (OTP) sent via SMS.

https://www.sanyamkhurana.com/django-phone-verify/

GNU General Public License v3.0

261 stars 61 forks source link

Discard session token after n failed attempts #100

Open ejain opened 6 months ago

ejain commented 6 months ago

Should have some protection against brute-forcing security codes, especially since TOKEN_LENGTH can be set to a low value like 4...

CuriousLearner commented 1 month ago

Thanks for the suggestion.

I would suggest a setting that controls the MIN_TOKEN_LENGTH. We may have another setting to discard the token after n failed attempts where n can be configured through another setting. If you'd like to work on this and raise a PR, I'll be happy to merge it.