1

i am building authentication microservice, with email confirmation, problem is that in past, i used randomly generated string (crypto.randomBytes(20).toString('hex')) it worked fine until it became a headache when gmail decided that zoho emails containing links to my website (hosted on aws, and literally configured every single bit (SPF,DKIM,everything mentioned in zoho instructions), that zoho advised, in Route53) should go to spam, that's why i had to do emergency switch to code authentication, where i send 5-6 digit code that user has to confirm, and this is quite common as i see in many websites, (which is what i am using in this microservice atm), i generate random number, iterate over users, check if there is any user with that code, if there is do it again, but break the loop if it exceeds max number of iterations, defined in config file (3), now problem i see is that even though max 6 digit number is 999999, it can become problem while scaling up, many simultaneous user registration with delayed verification + attacker spamming user codes, it can become trouble quite soon, even if i have separate microservice for cleaning up expired codes, it may still be concern, if user experiences existing code presence many times (UX Problem), what is standart solution for this? i have searched it all over google but found nothing special and most of boilerplates are using encoded strings.

Iliaaaa
  • 79
  • 1
  • 8
  • Don't iterate over users looking who has the supplied code. Instead, ask the user to provide both email and code and you just lookup that user. No more problem with repeating codes too. Also, make sure to give the codes a short valid time (say, no longer valid after 15 minutes) and delay the user after a few failed attempt to detter spammers and prevent resource exaustion. – Alejandro Apr 26 '21 at 18:12
  • Thank You, seems reasonable. – Iliaaaa Apr 26 '21 at 18:27
  • 1
    Read the section about links/tokens here: https://www.codeproject.com/Articles/5300920/authentication-flows-js – OhadR Apr 26 '21 at 20:31

1 Answers1

0

First, you can use a different email-provider other than zoho. For example, AFAIK mailgun, SMTP2GO and sendinblue are not recognized as spam by google.

Second, most sites do not ask the user for both the code and the email. So I am not sure about asking the user for his email again. I would search for the token (as you described), but once I found it I would delete it, so it will not collide with the same generated token in the future, plus to make sure this token would not be used more than once.

Just make sure to index also the token in your DB, so the search will be optimal.

If instead you want to use a package that uses the "boilerplate" you mentioned (but you do not have to code it, but just to be dependent on this package) you can use https://www.npmjs.com/package/authentication-flows-js.

OhadR
  • 8,276
  • 3
  • 47
  • 53
  • Great point @OhardR, tho i don't think asking email again is necessary we can easily store email in redux or even localstorage and use that – Iliaaaa May 03 '21 at 18:07