Prevent Reuse of Step-One Token After Phone Number Registration

[Dynavy]

Current Behavior:

Currently, after completing step one, a user receives a temporary 5-minute JWT token to proceed to step two, where the phone number is submitted.

However, since the token remains valid for 5 minutes, it is possible for the token to be reused multiple times to change the phone number within that time frame. This introduces a security risk, as the phone number should be set only once during registration.

Proposed Solution:

To prevent token reuse, the step-one token should be revoked immediately after it is used in step two. The best approach is to store revoked tokens in a database and check for revocation before authenticating any request.

Implementation Steps:

1. Create a database table to store revoked tokens:

A database table should be created to log the revoked tokens. This will allow tracking of the tokens that have already been invalidated.

2. Implement new methods in the JwtService to manage token revocation:

The JwtService will handle the management of revoked tokens, enabling both the revocation of a token and checking if a token has already been revoked.

3. Revoke the token immediately after step-two registration:

Once step two is completed, the step-one token must be revoked. This ensures that the token cannot be reused for any further operations after its intended use.

4. Modify JwtAuthenticationFilter to reject revoked tokens before authentication:

Before proceeding with authentication, it is necessary to check whether the token has been revoked. If the token has been revoked, the request should be rejected, and access to the system should be denied.