I recently started designing my own Web-API and my current goal is to make it possible to register guest user with his phone number, but there is a requirement: my database must not contain phone number duplicates. So I decided that I need a service for validating this case. That's where I felt a little bit confused.
Let's suppose I have one REST-service which checks whether entered phone number exists in system.
It consumes phone number (like +7-913-XXX-XX-XX
) and produces boolean value depending on phone number presence/absence in database.
If I implemented this logic it'd be really naive, so I'd be able to send as many requests to this service as I want and find out real numbers related to this system. As a conclusion, data will be compromised some day.
The way of blocking particular IP-address (due to high RPS from one machine) obviously does not seem to be a best solution because there are ways to make it through different IPs.
My questions are following:
Spring
-framework help in this case, by any chance?Answer from Synchro helped me coming up with following scenario for my situation (for me it seems fair enough in terms of brute forcing during user registration):
I know I missed lots of steps and validation stuff, but I got the key concept: verification should be done first, and only afterwards we allow only this phone to be checked in system somehow.