I'm planning to set up my own OTP service for my website because I'm tired of paying for email sending services. I'm curious about how to effectively manage the backend for this. Should I store the OTPs in a database as hashed values? Once a user inputs their OTP, would I compare the hash to proceed? Is there a more efficient method to implement this that I may be overlooking?
5 Answers
A solid approach is to only generate the OTP when necessary, like for email or phone verifications. Here's a simple flow: generate a random OTP, store its hashed version alongside the user's identifier and an expiration time (e.g., 5 minutes). Send the plain OTP to the user. When they input it, check if it's valid and not expired by comparing the hashes. Don't forget to invalidate it after using! You could even automate cleanup for expired OTPs using cron jobs or Redis for better efficiency.
Honestly, if you're not careful with how you manage your email sending domain, creating an OTP service could lead to more problems than it solves. I'd focus on that aspect first if you pursue this direction.
Rolling your own OTP service might not be the best route to take. It's often easier to use established solutions since they handle a lot of the security and reliability aspects for you. But if you really want to learn, it can be a valuable experience!
That makes sense. I've set up link verification before, so I'm thinking an OTP service could be a fun challenge!
Yeah, I'd love to learn more on this too!
Have you considered using services like AWS Cognito? It could end up being cheaper and save you a ton of development headaches later.
I use a link verification system instead of OTPs. Essentially, I generate a unique hash for each user and email them a link containing that hash. When they click on the link, it verifies against what's stored on the server. If they need to resend, it clears the old hash and creates a new one. I can share more details if you're interested, just busy at work right now!
That sounds interesting! How are you storing the hashes—do you keep them in a database?
If I'm just sending OTPs, do you think the domain reputation will be less of an issue?