Overview
We need to restrict number of OTP message generated for particular e-mail or mobile.
Purpose is simply to avoid misuse through
Approach 1
Create one table, otp_throttling with columns (type, userkey, count)
Each time generate OTP is called:
- Check if user exists → throw exception - user already exists with Mobile/Email.
- Check if there is an entry with same type, userkey in the table
- if no entry, then add entry with TTL as per configuration.
- if entry is found then, check if threshold is already reached.
- if threshold is reached → Generate error with message, that user has reached max OTP generation, and is blocked for 24 hours.
- If threshold is not reached → increment the counter as well as ttl, and proceed to OTP generation.
Pros:
- Easy to implement and clean solution, as both data are for seperate purpose
- We can use ttl at table level for both tables, and row will get deleted automatically.
Cons:
- Additional data storage.
Approach 2
It is same as approach 1, except existing OTP table should be used.
Pros:
- No additional table will be required
Cons:
- Both data will be stored in same table.
- Need to use TTL at column level
Open Questions
- 5 OTP in 24 hours limit is from first generation of otp or from last usage. i.e. say first generation was done at 09:00 AM → till 09:00 AM next morning - user cannot generate more than 5 OTP, or each time OTP is generated we update the timestamp, say 5th otp was generated at 05:00PM - then user cannot generate OTP till 05:00 PM next day.