I wanted to verify phone numbers before using them for communication with registred users. However, I am unclear If I'm doing it securely. i.e
Steps I'm taking:
- Ask user for phone number
- Send SMS verification code
- User enters Code
- Code verified using SMS Service(Sinch or/Twilio)
- correct code triggers callback function(client side) that adds the number to backend Database
- Incorrect code does nothing
My concern is step 5. Should I have the success callback function perform the number save on client side or should I trigger some backend(server-side) function that performs the save operation?
So with sinch it works like this, all the steps 1 to 6 is correct on the client. side,
But step 5/6 is more like this 5 Client enters code and send it to Sinch Backend - Return to client with Success or Fail (do ui logic) - Make a callback to your server with status, take action if correct or incorrect.
So the code is never in your possession, injecting the add to database on client side not possible, since you can get Success to the client and then in the client reload you data from your backend that has been updated by the server to server method. Makes sense?
https://www.sinch.com/docs/verification/rest/#howtousetheverificationapis