Prevent validation using old OTP after resending new OTP

Created on 14 August 2025, 5 days ago

Problem/Motivation

After clicking 'Resend OTP', if the user enters the previously issued OTP, they are still able to validate and log in to the site. This creates a security issue because outdated OTPs remain valid.

Steps to reproduce

Request an OTP for login.
Before entering it, click 'Resend OTP' to generate a new one.
Enter the original (old) OTP instead of the new one.
Observe that login still succeeds.

Proposed resolution

Invalidate any previously generated OTP immediately when a new OTP is issued. Ensure that only the latest OTP can be used to validate and log in.

Remaining tasks

Review and test the provided patch.
Verify that old OTPs are rejected after resending.
Confirm no regressions for normal OTP flow.

User interface changes

None.

API changes

None.

Data model changes

None.

🐛 Bug report

Status

Active

Version

2.0

Component

Code

Created by

🇮🇳India radheymkumar Jaipur, Rajasthan, India

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @radheymkumar
Comment 5 days ago →
🇮🇳India radheymkumar Jaipur, Rajasthan, India
Please review and apply this patch
Comment 2 days ago →
🇸🇦Saudi Arabia abdulaziz zaid Riyadh
I checked the code and confirmed that when a new OTP is sent, it simply overwrites the old one in storage. This means the previous code is no longer valid and cannot be used. The module already works as expected, so no change is needed

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024