How SMS authorization works, NODE JS?

D

DeniSidorenko2021-01-25 11:34:31

Node.js

DeniSidorenko, 2021-01-25 11:34:31

Made a simple authorization and registration on MERN (Node JS + React).
Now there was an idea to make a simple registration authorization only by means of sms (users can add information about themselves, e-mail in their personal account).

The idea is to make registration with only one field via SMS.

The user enters his phone number, and a 6-digit code is generated on the backend, which is sent to the number via the SMS service api. In the browser (on the front side) a form appears with the input of these 6 characters and reading, the browser also expects that for this session, a code will be entered. For security, I think it's worth running it through bcrypt, and when the user enters the code, then through bcrypt.compare to check if the code is valid.
The only question is about the session. I can’t figure out how to make sure that the check is inside one session, and not another. Or maybe my logic is not correct at all and it is worth doing the authorization differently?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

M

Maxim Antsiferov, 2021-01-25
@DeniSidorenko

When sending a phone to the backend, you can make an entry in the database of the form

{
  "id": "uuid,
  "challenge": "random string",
  "otp": "six-digit code", // для otp бессмысленно использовать bcrypt, потому что этот код одноразовый и у него малое время жизни
  "expires_in": timestamp
}

After sending otp to the user and writing challenge in
cookie