isom-2003 feat(otp): update OTP verification to include IP address

[adriangohjw]

Problem

What problem are you trying to solve? What issue does this close?

Closes https://linear.app/ogp/issue/ISOM-2003/vapt-active-denial-of-service-of-login-to-gogovsg

Solution

How did you solve the problem?

Features:

• use email:ip as redis key instead of just email

Improvements:

• add test case for this

Tests

What tests should be run to confirm functionality?

• refer to Linear ticket for steps to reproduce

[linear]

ISOM-2003 [VAPT] Active denial of service of login to `go.gov.sg`

[adriangohjw]

bugbot run

[cursor]

Bug: OTP Verification Test Fails Due to IP Mismatch

The POST /api/login/verify integration test primes the OTP cache with a hardcoded IP '127.0.0.1'. However, the actual HTTP request made by supertest may originate from a different IP address. As OTPs are now stored and retrieved using an email:ip key, this IP mismatch prevents successful OTP verification, causing the test to fail.

test/server/api/LoginRoute.test.ts#L58-L65

GoGovSG/test/server/api/LoginRoute.test.ts

Lines 58 to 65 in 6161aa4

	// Prime cache
	getOtpCache().setOtpForEmail('[email protected]', '127.0.0.1', {
	hashedOtp: '1',
	retries: 100,
	})
	const res = await request(app)
	.post('/api/login/verify')
	.send({ email: '[email protected]', otp: '1' })

Fix in Cursor • Fix in Web

---

Was this report helpful? Give feedback by reacting with 👍 or 👎

[dcshzj]

I think ok, but feels a bit like the blind leading the blind lol, need to really test on staging to make sure everything is still working as expected.

[adriangohjw]

I think ok, but feels a bit like the blind leading the blind lol, need to really test on staging to make sure everything is still working as expected.

@dcshzj yeah i agree :sadge: