fix: handle expired otps when used by user (#448)

Author: NithinKuruba

docker/otp-provider/src/controllers/auth-controller.ts

@@ -104,23 +104,29 @@ export const login = async (oidcProvider: Provider) => {
         let validatedOtp = { verified: false, attemptsLeft: 0 };
         const { email, otp } = req.body;
 
+        let disableResend = 'false';
+
         validatedOtp = await validateOtp(otp, email);
 
         const canRequest = await canRequestOtp(email);
 
         if (canRequest) time = await secondsRemainingToRequestNewOtp(email);
 
         if (!validatedOtp.verified) {
+          const otpRenderParams = {
+            uid,
+            email,
+            error,
+            nonce: res.locals.cspNonce,
+            waitTime: time,
+            disableResend,
+          };
           if (validatedOtp.attemptsLeft > 0) {
             error = `Invalid OTP, you have ${validatedOtp.attemptsLeft} attempts left.`;
-            return res.render('otp', {
-              uid,
-              email,
-              error,
-              nonce: res.locals.cspNonce,
-              waitTime: time,
-              disableResend: 'false',
-            });
+            return res.render('otp', { ...otpRenderParams, error });
+          } else if (validatedOtp.attemptsLeft === 0 && (await canRequestOtp(email))) {
+            error = errors.EXPIRED_OTP_WITH_RESEND;
+            return res.render('otp', { ...otpRenderParams, error });
           } else {
             result = {
               error: 'Invalid or expired OTP',

docker/otp-provider/src/modules/errors.ts

@@ -2,4 +2,5 @@ export const errors = {
   OTPS_LIMIT_REACHED: 'You have reached the maximum number of OTP requests for today. Please try again tomorrow.',
   EMAIL_REQUIRED: 'Email is required.',
   INVALID_EMAIL: 'Invalid email.',
+  EXPIRED_OTP_WITH_RESEND: 'Your OTP has expired. Please request a new one to continue.',
 };

docker/otp-provider/src/services/otp.ts

@@ -31,10 +31,11 @@ export const requestNewOtp = async (email: string) => {
 
 export const validateOtp = async (otp: string, email: string) => {
   const activeOtp = await getActiveOtp(email);
-  const otpExpired =
-    new Date().getTime() - new Date(activeOtp.createdAt).getTime() > Number(OTP_VALIDITY_MINUTES) * 60 * 1000;
-  if (!activeOtp || activeOtp.otp !== otp || activeOtp.attempts > Number(OTP_ATTEMPTS_ALLOWED) || otpExpired) {
-    await updateOtpAttempts(activeOtp.otp, email, activeOtp.attempts + 1);
+  if (!activeOtp) {
+    return { verified: false, attemptsLeft: 0 };
+  } else if (activeOtp.otp !== otp || activeOtp.attempts === Number(OTP_ATTEMPTS_ALLOWED)) {
+    if (activeOtp.attempts < Number(OTP_ATTEMPTS_ALLOWED))
+      await updateOtpAttempts(activeOtp.otp, email, activeOtp.attempts + 1);
     return { verified: false, attemptsLeft: Number(OTP_ATTEMPTS_ALLOWED) - (activeOtp.attempts + 1) };
   }
   await deleteOtpsByEmail(email);