theanam / otp-without-db Goto Github PK

At first I really liked the idea of using cryptography instead of storing OTP attemps in DB, but how to protect from buteforce attacks?
Usually I'd expect any OTP attempt to be invalidated after let's say 5 tries.

But if we're not using any DB we can't do that, and let's say you run 20 API instances, and that the attacker is using a VPN that allows him to use 10k IPs. Consdering your only lever is to limit the request rate on any endpoint to let's say 1/s, the attacker can make up to 200k tries per second. Isn't that a lot?

Hi, thanks for the package, i want to avoid user generate otp repeated in short time.

Let say same phone number, can only generate new otp after x minutes/seconds from previous generated, i know i can store related record to session or db, but i think it can embed into the hash. And add a new function to check if allow to generate new otp for this phone number base on x minutes/seconds. btw, no limit if this value have not set for sure.

A user can ask for otp multiple times, and reverse engineer your secret key, because he has all the elements of the hash, the phone number, the otp, and the expiry timestamp appended to the hash.

Adding a salt when hashing would make the process much more secure.

https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/