theanam / otp-without-db Goto Github PK
View Code? Open in Web Editor NEWdatabase less OTP verification using cryptography ๐
Home Page: http://npm.im/otp-without-db
database less OTP verification using cryptography ๐
Home Page: http://npm.im/otp-without-db
At first I really liked the idea of using cryptography instead of storing OTP attemps in DB, but how to protect from buteforce attacks?
Usually I'd expect any OTP attempt to be invalidated after let's say 5 tries.
But if we're not using any DB we can't do that, and let's say you run 20 API instances, and that the attacker is using a VPN that allows him to use 10k IPs. Consdering your only lever is to limit the request rate on any endpoint to let's say 1/s, the attacker can make up to 200k tries per second. Isn't that a lot?
Hi, thanks for the package, i want to avoid user generate otp repeated in short time.
Let say same phone number, can only generate new otp after x minutes/seconds from previous generated, i know i can store related record to session or db, but i think it can embed into the hash. And add a new function to check if allow to generate new otp for this phone number base on x minutes/seconds. btw, no limit if this value have not set for sure.
A user can ask for otp multiple times, and reverse engineer your secret key, because he has all the elements of the hash, the phone number, the otp, and the expiry timestamp appended to the hash.
Adding a salt when hashing would make the process much more secure.
https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.