Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Problem statement:

 As a sunbird system it should have capability to generate and validate generated OTP.  As per current requirement OPT can be generated for mobile number or email.

Proposed Solution 1:

 Sunbird will expose new end point to generate OPT. This end point will have following checks.

  

Generate OTP
Api details:
URI : v1/otp/generate
Method: POST
header: api key
request body:
 {
 "request":
     {
       "key":"either email/phone" 
     }

}

Response:
    Success or failure . (in case of success , user will get OPT either on email or phone)


-- This api will have following validations:


 
1. key value should be either valid email format or phone number.
2. Requested phone/email should not present in user data base. if it's present in user DB then throw error.
3. If requested phone/email is already in opt_authenticate table and is not expired yet and attempt  threshold is less than set value then send same OTP.
4. if OTP request is for first time then generate an OTP, store into db and send to user with valid channel. valid channel can be (email/sms)
5. If user requested for OTP and OTP is expired and attempt count is less than threshold value then generate new OPT and update all the attributes.
6. if user requested for OPT and OTP is expired and attempt count greater than equal to threshold value  Or OTP is not expired but attempt count more than threshold then throw an error and put this data into in-memory for particular time to , so that next time it will check in cache it self if phone/email found then through error
7. Api gateway will have ip based throttling for this api, so that from same IP you can't continuously hit it.
8. In self-signup we can have Captcha integration, to stop robots user creation.
9. Api gateway key retention policy
 
-- OTP generation will have following setting :
1. Number of digits (minimum number and max number will be predefined, user can set any range from min to max  as a predefined env variable. this setting will be applicable per installation). If user is not setting any value then system will pick default one or if user will set incorrect range then also it will pick default set value.
2. User can configure to generate only digits or alphanumeric  as an other env, by default it will generate digits only.
3. OPT generation/verification enable/disable env settings, if due to some reason SMS service is blocked or some other issues then we can used this end to disable this call from Api as well as portal/app both.

Table structure to store OPT:


Keydata typepurpose
idtext (primary key)
phoneOrEmailtext (encrypted in DB)source against which OTP is generated
OTPtextgenerated OTP
createdOntimestampat which time it was generated
lastUsedOntimestampwhen it was last used
retryCountinthow many time user already retried it
isLockedbooleanif retry count exceed limit then isLocked true
lockedOntimestampwhen it was locked.
  • No labels