ЕСОЗ - публічна документація
OTP timeout procedure
Purpose
This procedure implementation logic for use timeout/delay in step generate/send OTP in 2FA flow. Its necessary for block process when fraud user click button "resend otp" many time (over and over again) which will allow cut costs for sending SMS .
This procedure used at few entry/cases in 2FA flow:
- Сase `CREATE_2FA_TOKEN` (grant_type = "password")
- Сase ` RESEND_OTP` (grant_type = "refresh_2fa_access_token")
- Init User Factor
Logic
- Use array `users.priv_settings.login_hstr[]` with `login_hstr.type` = `otp`
- Sort array DESC by
time
- Get count() items from artray for period from `now()` to `now() - OTP_SEND_TIMEOUT`
- If count() >= OTP_SEND_COUNTER_MAX
- return 429 error + message "Sending OTP timeout. Try later." + type "otp_timeout",
- NO create & sending OTP
- Else
- create & sending OTP + store item in otp_hstr[]
Importantly: always - delete "old" items (for `time` < `now() - OTP_SEND_TIMEOUT`).
Store OTP sending event at array `users.priv_settings.login_hstr[]` in obj (example)
{"time": "2017-12-22T10:26:44.255687", "type": "otp", "is_success": true}.
ЕСОЗ - публічна документація