Implement a max_attempts check (e.g., 5) for OTP recovery verification to prevent brute-force attacks.
Context
OTP-based recovery is vulnerable to brute-force if not rate-limited. Implementing an attempt counter ensures that an attacker cannot guess the code before the session is locked.
Implementation Guidelines
Key Files: src/server/services/otp.service.ts, src/server/db/schema.ts.
- Ensure the
email_verifications table has an attempts column (existing in schema.ts).
- In the verification logic, increment
attempts on every failure.
- If
attempts >= 5, mark the OTP as invalid or throw a TooManyRequestsError.
Expectations
What done looks like: After 5 incorrect OTP entries, the user is blocked from further attempts for that verification session.
Discord for any question: codeze_us
Implement a
max_attemptscheck (e.g., 5) for OTP recovery verification to prevent brute-force attacks.Context
OTP-based recovery is vulnerable to brute-force if not rate-limited. Implementing an attempt counter ensures that an attacker cannot guess the code before the session is locked.
Implementation Guidelines
Key Files:
src/server/services/otp.service.ts,src/server/db/schema.ts.email_verificationstable has anattemptscolumn (existing inschema.ts).attemptson every failure.attempts >= 5, mark the OTP as invalid or throw aTooManyRequestsError.Expectations
What done looks like: After 5 incorrect OTP entries, the user is blocked from further attempts for that verification session.
Discord for any question: codeze_us