DEV Community

atgitdeepak
atgitdeepak

Posted on • Updated on

Need Help,Issue In OTP Login

Hello to all,
Actually, I am trying to make an OTP(One Time Password) based login page in my react-native app. But I am confused to do this with proper authentication.

Processes that I am thinking about right now::

  1. Enter mobile number on app, hit submit button this will take the number to backend and will save in database (via Open API(a)(no protection)).
  2. Then will use 3rd Party API(b) to create OTP which will send it to the customer, as a response from API(a).
  3. Customer will enter the received OTP and hit the login button, this will again go back, this time I will create JWT based token and which will be sent to the customer.[API used to create token((c)(no protection))]
  4. Now this token will be stored somewhere in the app, and will get appended to each and every request that the customer will make.

Now the confusing part,
the API (a) is open like anyone can access it, and anyone can hit the OTP API(b) via my API (a).
API (c) again is open, which means anybody can hit the API by submitting the OTP received via API (a).
Hence, can receive the token.
This way anybody can hit every API in my app.
Which is not healthy.
I am not able to come up with a better and solid approach.

How do I resolve this issue, kindly help?

Top comments (2)

Collapse
 
sateeshpandey profile image
sateeshpandey

Point (a):
Ideally the OTP API has to be open so that anyone can login, nothing can be done here.

Point (b): It can be optimized up to a certain instant if the OTP has a less TTL (store the OTP into the server cache instead of DB which will help faster verification, easy TTL setup and no extra script to delete those OTPs later).

Point (c):
Ideally all the application has the same approach, (If you have to token, all possible APIs can be accessed)
But in case extra security is required, one can disable the Cross site resource sharing and only allow access through our own app (by modifying entry in the host file if the server)

Collapse
 
atgitdeepak profile image
atgitdeepak

Thanks for answering @sateeshpandey , but I could not understand Point(c), i.e how can I disable the cross site resource sharing.....
The last was little tough, could you please elaborate.