One time password is a high demand authentication functionality in today's time while login into the system, making some transaction or taking some high risk action in the system. It provides an additional security in our application. Passwords can be hacked or guessed that depends on the password security policy of your website. However, the one time password give you a password in your email or your mobile number which can be used one time only and is valid for few minutes. Messages sent to your mobile numbers are secured in a way that you can only see them in your mobile.
Implementing one time password is really simple in Nodejs by using Passwordless and Twilio node packages. Please follow the below steps which will setup your webpage where you can enter your mobile number and then you will receive a 6 digit OTP in your own mobile number. Then you can verify the same and if verified then redirected to the login page.
Create an account in Twilio
Goto twilio.com and create an account by signing up. After this you will be logged in to twilio.How Twilio works
There is an official description of how Twilio works:
Visit the Twilio's getting started page
Once you login, go to this urlhttps://www.twilio.com/console/sms/getting-started/basics
In the above page there is a step-by-step demo to create a phone number and send a test sms.
- Note down this phone number.
Note the API credentials
On the same page, click on "Show API credentials" on the right side of the page and note down the these two parameters - Account SID and AUTH Token
Install mongodb in your system (if not already installed).
If you have setup the mongodb without authentication, then your connection string will simply be -'mongodb://localhost:<port>/passwordless-sms'
Replace <port> with your mongodb port (typically 27017).
If you have setup mongodb with authentication, then your connection string will be -
'mongodb://<dbUserId>:<dbPassword>@localhost:<port>/passwordless-sms'
Replace <port> with mongodb port.
Replace <dbUserId> with mongodb database user id.
Replace <dbPassword> with mongodb database password.
Clone the passwordless example demo Github repo
Clone the following github repo into your systemhttps://github.com/rbudiharso/smsauth-example
Edit the source code
Open the app.js in your favourite editor and edit the below lines:
Find this lines
accountSid = 'TWILIO_SID'
and replace the TWILIO_SID with your Account SID which you have noted down before.
Now, find this line
authToken = 'TWILIO_AUTH_TOKEN'
and replace the TWILIO_AUTH_TOKEN with the AUTH Token you noted down before.
Now, find this line
from: "TWILIO_NUMBER"
and replace the TWILIO_NUMBER with the phone number you noted down before.
Now, find this line
db = 'mongodb://localhost/passwordless-sms';
and replace this mongodb connection string with the connection string you made earlier.
Generating 6 digit OTP
Open nodejs console and go the github repository directory in your system. Execute the below command in console
npm install random-js --save
Open the app.js again find the below function
tokenAlgorithm: function() { // custom token generator // short random token generator, enough to fit into single SMS return '12345' }
and replace this function with below line of code:
tokenAlgorithm: function() { var random = new Random(Random.engines.mt19937().autoSeed()); console.log(random); var value = random.integer(100000, 999999); console.log(value); return value.toString(); }
Running our app to test
In node console execute the command
node app.js
Open the browser and enter this URL
http://localhost:9000
Type your mobile number with country code. You will receive a 6 digit OTP in your mobile number. Then in next page enter that 6 digit OTP and you will be logged in.
Note : You should also code out the token timeout functionality. When passwordless saves a token in mongodb, its timestamp is also saved. So, while OTP verification, you should get that timestamp and check if it is within range of our timeout setting and throw exception otherwise.
Note : You should also code out the token timeout functionality. When passwordless saves a token in mongodb, its timestamp is also saved. So, while OTP verification, you should get that timestamp and check if it is within range of our timeout setting and throw exception otherwise.
