Closed
Description
if a user tries to sign on to your website once all the credentials are in system asks for otp. Still, when I try to re-signup it says my user name already exists which suggests that even before entering OTP it already recorded my info in DB which is a hug vulnerability.
Because of this, I could log in without using any otp recommend you fix this.
Sol: Save the db once otp is verified before that don't do that (I haven't looked at your code so I don't know how you have done the db modelling).