I'm trying to figure out the best way to temporarily store user data such as username, email, hashed password, and OTP until the user verifies their OTP. Currently, I'm using tokens with timestamps in an SQL table and returning these as 5-minute cookies. However, I find that I need to clean the database every minute to remove records older than 5 minutes, which seems inefficient. I've heard some suggestions about storing this data as encrypted cookies on the frontend instead, using JWT, but I'm not familiar with that method. I always thought it was a bad idea to keep data like this on the frontend. I'm looking for an easier solution without the hassle of constant database cleanup. Any advice?
5 Answers
Why not just create the user and set a verification flag after they confirm? You could also put a 5-minute expiry on the token for verification. Running a scheduled job to clear out old unverified accounts every hour is not that taxing on the system—keep it simple!
You might want to look into using a caching solution like Redis. It automatically cleans up expired entries based on the time-to-live you set. That could simplify things for you!
You actually don't need to clean the database every minute. Instead, just check if the token has expired whenever it's used. You could schedule clean-ups more sparingly, like every hour or even daily. Plus, always keep in mind that you should never fully trust the frontend; assume there could be some dodgy behaviors happening.
Instead of dealing with database clean-ups, consider just storing unverified records directly in the users’ table until they're verified.
Honestly, considering the future, maybe skip email/password entirely and go with an OAuth flow. Using JWT is pretty straightforward for structuring your API. If you go that route, something like GitHub's OAuth is super simple to set up and would save you a lot of hassle. But email/password is still valid for many users who prefer straightforward sign-ins!
Email/password is far from obsolete; it's still a very standard method for authentication!
There's nothing wrong with using username/password combinations! Not everyone wants to rely on third-party accounts to log in, and managing those codes can be a hassle. Just having a password manager makes it easy enough for most people.