refactor(auth): replace custom OTP logic with pyotp RFC6238 (!184) · Merge requests · Corpus / Corpus Server Platform

Laxman Reddy requested to merge refactor/otp-pyotp-rfc6238 into develop Apr 29, 2026

Title (semantic)

refactor(auth): replace custom OTP implementation with pyotp RFC6238

Description
This merge request refactors the OTP implementation in app/services/otp_service.py by replacing the custom OTP generation and hash verification logic with RFC 6238 compliant TOTP using PyOTP.

The refactor improves security, maintainability, and standards compliance while preserving the existing API behavior.

Changes Included

Removed custom OTP generation logic using random
Removed custom OTP hashing and verification methods
Added pyotp dependency
Implemented TOTP generation using RFC 6238
Stored generated OTP secret in existing otp_hash field temporarily
Updated OTP verification flow to use pyotp.TOTP.verify()
Removed debug OTP print statements
Preserved existing:
- SMS sending logic
- Rate limiting
- Expiry handling
- Attempts tracking
- Response structure
- DB query behavior

Checklist

Code has been refactored for clarity, maintainability, or security
- No functional API changes introduced
- OTP flow tested end-to-end
- Existing behavior preserved
- Code adheres to project coding standards
- Removed unused imports and legacy OTP methods
- Validation completed for OTP generation and verification

Related Issue(s)

close #103

Edited Apr 29, 2026 by Laxman Reddy

refactor(auth): replace custom OTP logic with pyotp RFC6238

Merge request reports