I'm implementing a sign-up system which uses SMS to authentify the user. As I pay for each SMS sent, I would like to prevent that one could send 100000 request to my server, which would result to send 100000 SMS to random users. I would like for exemple accept only 10 SMS/hour/user. Though, the problem is that I can't really identify the user with IP address (several may be using the same IP).
I heard that Devicecheck was an Apple API that could tell me, on server-side, if a tempory token sent by client is a real one, from a real iPhone. The problem is that I can't store the number of SMS sent by this token because it is tempory. The only thing I could do is store 2 bits on Apple server, but, with 2 bits, I can't store the number of time a user has sent a SMS in the hour.
The best I could do is store a "true" if user send a SMS, and then if they try to send a SMS again, if I see a true within 1 minute (because we can also know last time these bits were set), I could say no. But that's not what I really want : If the user misstyped their phone number 3 or even 4 times, I don't want to keep them waiting.
Do you have any idea to store such information (n sms/h/user) with DeviceCheck ?
Also, I was thinking that swift app are compiled, so user can't see its source code. Thus, I could maybe do this to ensure the user is real :
- Client asks for a key to server
- Server returns a random key to Client
- Client encrypt in a secret maner this key, a maner that nobody can see because source code is not readable
- Client send the actual request + the token it has generated + the key the server sent
- From the key, the server uncrypt the token, and fails if the token does not match with the key sent
Do you think such a process could be reliable ?