Hello to all,
Actually, I am trying to make an OTP(One Time Password) based login page in my react-native app. But I am confused to do this with proper authentication.
Processes that I am thinking about right now::
- Enter mobile number on app, hit submit button this will take the number to backend and will save in database (via Open API(a)(no protection)).
- Then will use 3rd Party API(b) to create OTP which will send it to the customer, as a response from API(a).
- Customer will enter the received OTP and hit the login button, this will again go back, this time I will create JWT based token and which will be sent to the customer.[API used to create token((c)(no protection))]
- Now this token will be stored somewhere in the app, and will get appended to each and every request that the customer will make.
Now the confusing part,
the API (a) is open like anyone can access it, and anyone can hit the OTP API(b) via my API (a).
API (c) again is open, which means anybody can hit the API by submitting the OTP received via API (a).
Hence, can receive the token.
This way anybody can hit every API in my app.
Which is not healthy.
I am not able to come up with a better and solid approach.
How do I resolve this issue, kindly help?