Problem statement:
As a sunbird system it should have capability to generate and validate generated OTP. As per current requirement OPT can be generated for mobile number or email.
Proposed Solution 1:
Sunbird will expose new end point to generate OPT. This end point will have following checks.
Generate OTP
Api details:
URI : v1/otp/generate
Method: POST
header: api key
request body:
{
"request":
{
"key":"either email/phone"
}
}
Response:
Success or failure . (in case of success , user will get OPT either on email or phone)
-- This api will have following validations:
1. key value should be either valid email format or phone number.2. Requested phone/email should not present in user data base. if it's present in user DB then throw error.3. If requested phone/email is already in opt_authenticate table and is not expired yet and attempt threshold is less than set value then send same OTP.4. if OTP request is for first time then generate an OTP, store into db and send to user with valid channel. valid channel can be (email/sms)5. If user requested for OTP and OTP is expired and attempt count is less than threshold value then generate new OPT and update all the attributes.6. if user requested for OPT and OTP is expired and attempt count greater than equal to threshold value Or OTP is not expired but attempt count more than threshold then throw an error and put this data into in-memory for particular time to , so that next time it will check in cache it self if phone/email found then through error7. Api gateway will have ip based throttling for this api, so that from same IP you can't continuously hit it.8. In self-signup we can have Captcha integration, to stop robots user creation.9. Api gateway key retention policy-- OTP generation will have following setting :1. Number of digits (minimum number and max number will be predefined, user can set any range from min to max as a predefined env variable. this setting will be applicable per installation). If user is not setting any value then system will pick default one or if user will set incorrect range then also it will pick default set value.2. User can configure to generate only digits or alphanumeric as an other env, by default it will generate digits only.3. OPT generation/verification enable/disable env settings, if due to some reason SMS service is blocked or some other issues then we can used this end to disable this call from Api as well as portal/app both.Table structure to store OPT:
| Key | data type | purpose |
|---|---|---|
| id | text (primary key) | |
| phoneOrEmail | text (encrypted in DB) | source against which OTP is generated |
| OTP | text | generated OTP |
| createdOn | timestamp | at which time it was generated |
| lastUsedOn | timestamp | when it was last used |
| retryCount | int | how many time user already retried it |
| isLocked | boolean | if retry count exceed limit then isLocked true |
| lockedOn | timestamp | when it was locked. |