[FEAT] :sparkles: Enhance OTP Verification Security

[Sudarsh1010]

Description

We need to enhance the security of the OTP verification process, particularly around securing the URL endpoint used for OTP validation. Currently, OTPs are stored in Redis with expiration, but there are security risks around OTP link sharing, expiration, and potential misuse.

Tasks:

1. Secure OTP Verification URL Endpoint

• Objective: Ensure the OTP verification URL is secure and cannot be exploited after expiration or misuse.
• Action:
  • Ensure that OTP tokens in URLs are valid only for a specific period (e.g., 10 minutes).
  • After the OTP expires, automatically invalidate the URL and prevent any further usage.
  • Consider using signed tokens or hashed tokens to protect the integrity of the URL and prevent tampering.
  • Ensure that URLs cannot be reused once the OTP expires or has been verified.
• Acceptance: The verification URL should expire after a set time, and attempts to use an expired or tampered URL should return an "OTP expired" error.

2. Rate-Limiting for OTP Requests

• Objective: Prevent abuse of the OTP request endpoint.
• Action: Limit OTP requests to 5 per minute per user.
• Acceptance: Return a "Too many requests" message if the limit is exceeded.

3. Rate-Limiting for OTP Validation Attempts

• Objective: Prevent brute-force attacks on OTP validation.
• Action: Limit failed OTP validation attempts to 5 in 10 minutes and temporarily lock the user out if exceeded.
• Acceptance: Lockout after 5 failed attempts with an appropriate error message.

4. Secure OTP Storage

• Objective: Prevent exposure of OTPs.
• Action: Hash OTPs (e.g., using bcrypt) before storing them in Redis.
• Acceptance: Compare hashed OTPs on validation.

5. UX Enhancements for OTP Expiry and Retries

• Objective: Improve UX for OTP expiry and retries.
• Action: Display a countdown timer and allow easy re-request of OTPs if expired or invalid.

Anything else?

No response

Are you willing to submit PR?

Yes