The update operation on the number of attempts for each OTP is subject to race conditions, which causes the value to be overwritten when many requests are made simultaneously.
Solution
Breaking Changes
[ ] Yes - this PR contains breaking changes
[x] No - this PR is backwards compatible with ALL of the following feature flags in this doc
Bug Fixes:
Use sequelize's increment operation instead of update, which is done on the database itself and does not run into concurrency issues.
Use transactions to lock the row from further updates.
Tests
[ ] Use the script provided in the VAPT report on page 17 and 18
[ ] Adjust the URL to point to your test instance
[ ] Adjust the email address to be one that is valid (i.e. your own account) and attempt to log in (without keying in the correct OTP)
[ ] Run the script and verify that you hit the max attempts after 5 tries
Problem
The update operation on the number of attempts for each OTP is subject to race conditions, which causes the value to be overwritten when many requests are made simultaneously.
Solution
Breaking Changes
Bug Fixes:
Tests
Deploy Notes
None