After a user confirms that he owns a phone number I want to give him an access to some resource for a limited amount of time. How would you solve this problem?
My first idea:
- Anonymous user enters protected route.
- I send him an sms with confirmation code to the phone number related to the resource under given route.
- User confirms his identity.
- I generate a JWT token with sub containing given phone number and I set exp for 5 minutes.
- I push this JWT token into session.
- I use voter on my protected route to check
if token is present && hasn't expired && sub === phone number related to resource.
My second idea: 1, 2 and 3 are same as above.
- When user confirms code that was sent to him the newly created
VerificationCodeListenerissues a token. - The token is stored inside token storage. The user inside the token is an anonymous user containing just a phone.
- Inside my voter I check if phones match (the one from token and phone related to resource).
Is there any better way to do this? I don't know Symfony inside out.
from How to authenticate/authorize anonymous user for a limited time?
No comments:
Post a Comment