Cryptographically Weak

[prathamtagad]

File: userAuth.controller.js

OTPs are generated using Math.random(), which is not cryptographically secure. An attacker who can predict the RNG state could forge OTPs.

const otp = Math.floor(100000 + Math.random() * 900000).toString();

The dashboard-api already uses crypto.randomInt() in auth.controller.js,
The public-api should follow the same pattern for consistency and security.

[yash-pouranik]

@prathamtagad Helloooooooooooo
One good news that urbackend is listed in NSOC'26'Project-list So If you want to get Recognize or to be active in Open source community? you can register at NSOC'26
Let me know if you are joining? if yes then we will review ur PR after 15April i.e. contribution Period in NSOC. Just let me know.

[prathamtagad]

yes sure, I'm joining rn!

[yash-pouranik]

@prathamtagad Just let me know when you have registered. If any issue persists u can ping me

[itsmessc]

Hello, I would like to work on this issue

Root cause: OTPs in the public API's user auth flow were generated using Math.random():

const otp = Math.floor(100000 + Math.random() * 900000).toString();
Math.random() is not cryptographically secure — it uses a deterministic pseudo-random number generator (PRNG) seeded by the JS engine. Its output is statistically predictable if an attacker can observe enough samples or knows the seed/state. This means:

Password reset OTPs could be predicted — attacker requests a reset, guesses the OTP, takes over the account
Email verification OTPs could be predicted — attacker could verify an account they don't own

[yash-pouranik]

Sure u can work on this
@itsmessc