Handling an OTP (One-Time Password) flow requires a clean sequence so you don't run into race conditions, like a user trying to verify a token before it's securely saved in your state or database.
Here is how you structure a production-ready OTP management lifecycle using auth-verify.
Installation
npm install auth-verify
Initialize the library:
Step 1.
First, bring in the library and configure the token storage. For development, memory works fine, but use redis or a database token store in production so your OTPs survive server restarts.
const AuthVerify = require("auth-verify");
const auth = new AuthVerify({
storeTokens: "memory", // 'redis' is highly recommended for production
expiresIn: "5m" // OTP automatically expires after 5 minutes
});
Configure your transport channel:
Step 2.
Set up how the OTP actually gets to the user. You need to provide your service credentials (like SMTP for emails or API keys for SMS).
auth.otp.sender({
via: 'email',
sender: 'app@yourdomain.com',
pass: process.env.EMAIL_APP_PASSWORD,
service: 'gmail' // or custom SMTP settings
});
Generate and send the OTP:
Step 3.
Trigger this inside your login/registration route. The library automatically generates a secure crypto-random numeric code, maps it to the identifier (email/phone), and sends it out.
app.post("/api/auth/request-otp", async (req, res) => {
const { email } = req.body;
try {
const success = await auth.otp.send(email);
if (!success) return res.status(500).json({ error: "Failed to send OTP" });
res.json({ message: "OTP sent successfully!" });
} catch (err) {
res.status(500).json({ error: err.message });
}
});
Verify the user's input:
Step 4.
When the user submits the code from their screen, pass their identifier and the code to .verify(). The library automatically checks if the code matches, handles the expiration window, and destroys the OTP on success to prevent reuse.
app.post("/api/auth/verify-otp", async (req, res) => {
const { email, code } = req.body;
try {
const isValid = await auth.otp.verify(email, code);
if (!isValid) {
return res.status(400).json({ error: "Invalid or expired OTP" });
}
// OTP is valid! Mint your JWT or log the user in here
res.json({ success: true, message: "Authenticated!" });
} catch (err) {
res.status(500).json({ error: err.message });
}
});
💡 Production Gotchas to Keep in Mind
Rate Limiting: auth-verify handles the generation and verification, but it won't stop a malicious actor from hitting your /request-otp endpoint 10,000 times to blow up your email/SMS billing. Always wrap your OTP routes in a rate-limiter middleware like express-rate-limit.
Replay Attacks: The library automatically handles deleting the OTP token storage space upon a successful validation so that the exact same code cannot be used twice.