Implementing SMS OTP Verification with Node.js and Infobip

This guide provides a step-by-step walkthrough for adding SMS-based One-Time Password (OTP) verification, a common form of Two-Factor Authentication (2FA), to your Node.js Express application using the Infobip API. We'll cover everything from initial setup to production considerations.

Enhancing application security is crucial, and OTP via SMS provides a robust layer by verifying user possession of a registered phone number. This guide aims to equip you with the knowledge to implement this feature effectively.

Project Overview and Goals

What We'll Build:

We will build a simple Node.js Express application with two core API endpoints:

/request-otp: Accepts a user's phone number, uses the Infobip API to generate and send an OTP code via SMS to that number, and stores necessary information for verification.
/verify-otp: Accepts the user's phone number and the OTP code they received, then uses the Infobip API to verify if the code is correct and valid.

Problem Solved:

This implementation adds a layer of security to user actions like registration, login, or sensitive operations by verifying that the user currently possesses the phone number associated with their account. It helps prevent unauthorized access even if account credentials (like passwords) are compromised.

Technologies Used:

Node.js: The JavaScript runtime environment.
Express.js: A minimal and flexible Node.js web application framework for building the API.
Infobip 2FA API: The third-party service used to handle OTP generation, SMS delivery, and verification.
axios: A promise-based HTTP client for making requests to the Infobip API.
dotenv: A module to load environment variables from a .env file.
(Optional) express-validator: For robust request validation.
(Optional) express-rate-limit: To protect endpoints from brute-force attacks.

System Architecture:

+-------------+       +-----------------------+       +---------------+       +-------------+
|             |--(1)-&gt;|     Node.js/Express   |--(2)-&gt;|               |--(3)-&gt;|             |
| End User    |       |        App Server     |       |  Infobip API  |       | User's Phone|
| (Browser/App)|&lt;- F -|                       |&lt;- G -|               |&lt;- E -| (SMS)       |
|             |&lt;-(6)--| (API: /verify-otp)    |&lt;-(7)--|               |       |             |
|             |       | (API: /request-otp)   |--(4)-&gt;|               |       |             |
+-------------+       +-----------------------+       +---------------+       +-------------+

Flow:
1. User initiates OTP request (e.g., provides phone number) to the App Server (/request-otp).
2. App Server sends OTP request details (App ID, Message ID, Phone Number) to Infobip API.
3. Infobip generates OTP, sends SMS to User's Phone.
4. Infobip returns a `pinId` (PIN identifier) to the App Server. (App Server stores this temporarily associated with the phone number).
5. User receives SMS, enters the OTP code into their Browser/App.
6. User submits the OTP code and phone number to the App Server (/verify-otp). App Server includes the stored `pinId`.
7. App Server sends the `pinId` and submitted OTP code to Infobip for verification.
G. Infobip returns verification status (success/failure) to App Server.
F. App Server processes the result and responds to the End User.

(Note: The visual placement of arrows F and G in the diagram might seem slightly ambiguous relative to steps 5/6/7, but the text description G->F reflects the logical sequence of responses after step 7).

Prerequisites:

Node.js and npm (or yarn) installed.
An active Infobip account (Sign up for free).
A registered phone number (for testing during development, preferably the one linked to your Infobip trial account).
Basic understanding of Node.js, Express, APIs, and asynchronous JavaScript.

Final Outcome:

A functional Express API capable of sending OTPs via Infobip SMS and verifying them, ready to be integrated into a larger application for enhanced security.

1. Setting up the Project

Let's initialize our Node.js project and install the necessary dependencies.

Create Project Directory: Open your terminal and create a new directory for the project, then navigate into it.
bash
mkdir infobip-otp-guide cd infobip-otp-guide
Initialize npm:
bash
npm init -y
This creates a package.json file.
Install Dependencies: We need Express for the server, axios to call the Infobip API, and dotenv to manage environment variables.
bash
npm install express axios dotenv
Install Development Dependencies (Optional but Recommended): nodemon helps during development by automatically restarting the server on file changes.
bash
npm install --save-dev nodemon

Configure nodemon (Optional): Add a dev script to your package.json scripts section:

json

// package.json
{
  // ... other fields
  ""scripts"": {
    ""start"": ""node server.js"",
    ""dev"": ""nodemon server.js"",
    ""test"": ""echo \""Error: no test specified\"" && exit 1""
  },
  // ... other fields
}

Create Project Structure: Organize the project for clarity. Create the following files and folders:

infobip-otp-guide/
├── node_modules/
├── .env
├── .gitignore
├── package.json
├── package-lock.json
├── server.js
└── services/
    └── infobip.js

Create .gitignore: Add node_modules and .env to prevent committing them to version control.
plaintext
# .gitignore node_modules .env

Create server.js (Initial Setup):

javascript

// server.js
require('dotenv').config(); // Load environment variables early
const express = require('express');
const infobipService = require('./services/infobip'); // We will create this soon

const app = express();
const PORT = process.env.PORT || 3000;

// --- Middleware ---
app.use(express.json()); // Parse JSON request bodies

// --- In-Memory Storage (DEMO ONLY - NOT FOR PRODUCTION) ---
// !! CRITICAL !! In production, use a secure, persistent store like Redis or a database
// table with TTL to associate pinId with the user/phone number/session.
// In-memory storage is NOT scalable, NOT persistent, and prone to memory leaks if
// the cleanup mechanism fails or if many requests are made without verification.
const otpStore = {}; // { phoneNumber: pinId }

// --- Routes ---
app.post('/request-otp', async (req, res) =&gt; {
    const { phoneNumber } = req.body;

    if (!phoneNumber) {
        return res.status(400).json({ success: false, error: 'Phone number is required' });
    }

    try {
        console.log(`Requesting OTP for ${phoneNumber}`);
        const pinId = await infobipService.sendOtp(phoneNumber);
        console.log(`OTP request successful for ${phoneNumber}, pinId: ${pinId}`);

        // Store the pinId temporarily, associating it with the phone number
        // AGAIN: Replace this with a proper storage solution in production.
        otpStore[phoneNumber] = pinId;

        // Basic cleanup for demo purposes. A robust system needs better handling.
        // This timeout might not run if the server crashes, potentially leaking memory.
        setTimeout(() =&gt; {
            // Only delete if the pinId hasn't been overwritten by a newer request for the same number
            if (otpStore[phoneNumber] === pinId) {
                delete otpStore[phoneNumber];
                console.log(`Cleaned up expired/unused pinId for ${phoneNumber}`);
            }
        }, 10 * 60 * 1000); // 10 minutes (adjust based on pinTimeToLive)

        res.status(200).json({ success: true, message: 'OTP sent successfully.' });

    } catch (error) {
        console.error('Error sending OTP:', error.response?.data || error.message);
         // Provide a generic error message to the client
        res.status(500).json({
            success: false,
            error: 'Failed to send OTP. Please try again later.',
            // Optionally include details in logs or specific non-sensitive error codes
            errorCode: error.response?.data?.requestError?.serviceException?.messageId || 'UNKNOWN_ERROR'
        });
    }
});

app.post('/verify-otp', async (req, res) =&gt; {
    const { phoneNumber, otp } = req.body;

    if (!phoneNumber || !otp) {
        return res.status(400).json({ success: false, error: 'Phone number and OTP are required' });
    }

    // Retrieve the pinId associated with this phone number (from demo store)
    const pinId = otpStore[phoneNumber];

    if (!pinId) {
        console.warn(`No active OTP request found for ${phoneNumber}. It might have expired or never existed.`);
        return res.status(400).json({ success: false, error: 'No active OTP request found or it has expired. Please request a new OTP.' });
    }

    try {
        console.log(`Verifying OTP ${otp} for ${phoneNumber} with pinId ${pinId}`);
        const isVerified = await infobipService.verifyOtp(pinId, otp);

        if (isVerified) {
            console.log(`OTP verification successful for ${phoneNumber}`);
            // Verification successful - remove the used pinId from store immediately
            delete otpStore[phoneNumber];
            res.status(200).json({ success: true, message: 'OTP verified successfully.' });
            // TODO: Update user status in your database (e.g., mark phone as verified)
        } else {
            console.warn(`OTP verification failed for ${phoneNumber}. Incorrect PIN.`);
            // Verification failed (likely incorrect PIN)
            // NOTE: Infobip handles attempt limits based on Application settings
             res.status(400).json({ success: false, error: 'Invalid OTP code.' });
             // Consider if you want to clear pinId from store on failure based on app logic
        }
    } catch (error) {
        console.error('Error verifying OTP:', error.response?.data || error.message);
         // Check for specific Infobip errors if needed
         const errorCode = error.response?.data?.requestError?.serviceException?.messageId;
         let errorMessage = 'Failed to verify OTP. Please try again later.';

         if (errorCode === 'TOO_MANY_REQUESTS') {
             errorMessage = 'Too many verification attempts. Please try again later.';
         } else if (errorCode === 'PIN_EXPIRED') {
            errorMessage = 'OTP code has expired. Please request a new one.';
            // Clean up expired pin from store if it matches the one we tried to verify
            if (otpStore[phoneNumber] === pinId) delete otpStore[phoneNumber];
         } else if (errorCode === 'PIN_NOT_FOUND') {
            errorMessage = 'Invalid request. Please request a new OTP.';
            // Clean up potentially invalid pin from store if it matches
            if (otpStore[phoneNumber] === pinId) delete otpStore[phoneNumber];
         }

        res.status(500).json({ success: false, error: errorMessage, errorCode: errorCode || 'UNKNOWN_ERROR' });
    }
});

// --- Start Server ---
app.listen(PORT, () =&gt; {
    console.log(`Server running on port ${PORT}`);
    infobipService.initialize()
      .then(() =&gt; console.log('Infobip service initialized.'))
      .catch(err =&gt; console.error('Failed to initialize Infobip service:', err));
});

Create services/infobip.js: This file will contain the logic for interacting with the Infobip API.

javascript

// services/infobip.js
const axios = require('axios');

// --- Configuration ---
// These should come from environment variables
const INFOBIP_API_KEY = process.env.INFOBIP_API_KEY;
const INFOBIP_BASE_URL = process.env.INFOBIP_BASE_URL;
// Example values - Consider making these configurable via .env or other means
const APP_NAME = process.env.INFOBIP_APP_NAME || 'MyNodejsApp 2FA'; // Example name
const SENDER_ID = process.env.INFOBIP_SENDER_ID || 'InfoSMS'; // Example sender - may need registration
const MESSAGE_TEMPLATE_TEXT = process.env.INFOBIP_MESSAGE_TEMPLATE || 'Your verification PIN is {{pin}}. It expires in 5 minutes.'; // Example template text

// --- State (to store IDs retrieved from Infobip) ---
// Populated from .env or dynamically created on first run.
let applicationId = process.env.INFOBIP_APPLICATION_ID;
let messageId = process.env.INFOBIP_MESSAGE_ID;

// --- Axios Instance ---
let infobipAxios; // Define here, initialize after checking config

// --- Helper Functions ---

/**
 * Creates a 2FA Application in Infobip.
 * Lacks idempotency check: Assumes it needs creation if ID is missing.
 * In production, consider listing apps by name first if API allows.
 * @returns {Promise<string&gt;} The Application ID.
 */
async function createApplication() {
    try {
        console.log(`Attempting to create Infobip 2FA Application: ${APP_NAME}`);
        // Note: This doesn't check if an app with this name already exists.
        // Running this multiple times without saving the ID will create duplicates.
        const response = await infobipAxios.post('/2fa/2/applications', {
            name: APP_NAME,
            configuration: {
                pinAttempts: 10, // Max attempts to verify PIN
                allowMultiplePinVerifications: true, // Useful for testing, maybe false in prod
                pinTimeToLive: '5m', // PIN validity duration (e.g., 5 minutes)
                verifyPinLimit: '3/1s', // Rate limit for verification calls per second
                sendPinPerApplicationLimit: '10000/1d', // Max PINs sent per app per day
                sendPinPerPhoneNumberLimit: '5/1d' // Max PINs sent per phone number per day
            },
            enabled: true
        });
        console.log('Infobip Application created successfully.');
        return response.data.applicationId;
    } catch (error) {
        console.error('Error creating Infobip Application:', error.response?.data || error.message);
        // Possible improvement: Check if error indicates a conflict (app already exists)
        // and attempt to retrieve the existing app's ID. Requires checking Infobip API error codes.
        throw new Error(`Failed to create Infobip Application: ${error.message}`);
    }
}

/**
 * Creates a 2FA Message Template in Infobip for a given Application.
 * Lacks idempotency check: Assumes it needs creation if ID is missing.
 * In production, consider listing templates for the app first.
 * @param {string} appId The Infobip Application ID.
 * @returns {Promise<string&gt;} The Message ID.
 */
async function createMessageTemplate(appId) {
    try {
        console.log(`Attempting to create Infobip Message Template for App ID: ${appId}`);
        // Note: This doesn't check if a template with this configuration already exists for the app.
        // Running this multiple times without saving the ID will create duplicates.
        const response = await infobipAxios.post(`/2fa/2/applications/${appId}/messages`, {
            messageText: MESSAGE_TEMPLATE_TEXT,
            pinType: 'NUMERIC', // Can be NUMERIC, ALPHA, ALPHANUMERIC, HEX
            pinLength: 6, // Length of the OTP code
            language: 'en', // Optional: Specify language
            senderId: SENDER_ID, // Alphanumeric sender ID (must be registered/approved by Infobip in some regions)
            // regional: { indiaDlt: { contentTemplateId: '...', principalEntityId: '...' } }, // Example for regional compliance like India DLT
        });
        console.log('Infobip Message Template created successfully.');
        return response.data.messageId;
    } catch (error) {
        console.error('Error creating Infobip Message Template:', error.response?.data || error.message);
        // Possible improvement: Check for conflict errors.
        throw new Error(`Failed to create Infobip Message Template: ${error.message}`);
    }
}


// --- Core Service Functions ---

/**
 * Initializes the service: Checks credentials, creates Axios instance,
 * and ensures Application and Message Template IDs are available,
 * creating them via API if not found in environment variables.
 * Relies on manual update of .env after first run.
 */
async function initialize() {
    if (!INFOBIP_API_KEY || !INFOBIP_BASE_URL) {
         throw new Error('Infobip API Key or Base URL missing in environment variables (INFOBIP_API_KEY, INFOBIP_BASE_URL).');
    }

    // Initialize Axios instance now that we have base URL and key
    infobipAxios = axios.create({
        baseURL: INFOBIP_BASE_URL,
        headers: {
            'Authorization': `App ${INFOBIP_API_KEY}`,
            'Content-Type': 'application/json',
            'Accept': 'application/json'
        }
    });

    if (!applicationId) {
        console.log('INFOBIP_APPLICATION_ID not found in .env, attempting to create one...');
        applicationId = await createApplication();
        // IMPORTANT: Manual step required after first run!
        console.warn(`------------------------------------------------------------------------------------`);
        console.warn(`ACTION REQUIRED: Copy the Application ID below and paste it into your .env file as:`);
        console.warn(`INFOBIP_APPLICATION_ID=${applicationId}`);
        console.warn(`This avoids creating a new application on every server start.`);
        console.warn(`------------------------------------------------------------------------------------`);
        // Consider a dedicated setup script or making these mandatory env vars for subsequent runs.
    } else {
         console.log(`Using existing Infobip Application ID from .env: ${applicationId}`);
    }

    if (!messageId) {
         console.log('INFOBIP_MESSAGE_ID not found in .env, attempting to create one...');
         messageId = await createMessageTemplate(applicationId);
         // IMPORTANT: Manual step required after first run!
         console.warn(`------------------------------------------------------------------------------------`);
         console.warn(`ACTION REQUIRED: Copy the Message ID below and paste it into your .env file as:`);
         console.warn(`INFOBIP_MESSAGE_ID=${messageId}`);
         console.warn(`This avoids creating a new message template on every server start.`);
         console.warn(`------------------------------------------------------------------------------------`);
    } else {
        console.log(`Using existing Infobip Message ID from .env: ${messageId}`);
    }
}

/**
 * Sends an OTP to the specified phone number using the configured App/Message.
 * @param {string} phoneNumber The recipient's phone number in E.164 format (e.g., 447... ).
 * @returns {Promise<string&gt;} The PIN ID for verification.
 */
async function sendOtp(phoneNumber) {
    if (!applicationId || !messageId || !infobipAxios) {
        throw new Error('Infobip service not initialized properly. Check configuration and initialization logs.');
    }
    try {
        const response = await infobipAxios.post('/2fa/2/pin', {
            applicationId: applicationId,
            messageId: messageId,
            // 'from' can often be omitted if set correctly in the Message Template
            // from: SENDER_ID,
            to: phoneNumber
        });
        // Response includes pinId, to, ncStatus, smsStatus
        console.log('Infobip Send PIN Response Status:', response.data.smsStatus);
        if (!response.data.pinId) {
             throw new Error('Infobip did not return a pinId in the response.');
        }
        return response.data.pinId;
    } catch (error) {
         console.error(`Error sending OTP via Infobip to ${phoneNumber}:`, error.response?.data || error.message);
         // Rethrow a more specific error or handle based on Infobip error codes
         throw error; // Let the route handler manage the HTTP response
    }
}

/**
 * Verifies the OTP code submitted by the user against the pinId.
 * @param {string} pinId The PIN ID received after sending the OTP.
 * @param {string} otpCode The 6-digit code entered by the user.
 * @returns {Promise<boolean&gt;} True if verification is successful, false otherwise.
 */
async function verifyOtp(pinId, otpCode) {
     if (!applicationId || !messageId || !infobipAxios) {
        throw new Error('Infobip service not initialized properly. Check configuration and initialization logs.');
    }
    try {
        const response = await infobipAxios.post(`/2fa/2/pin/${pinId}/verify`, {
            pin: otpCode
        });
        // Response includes verified (boolean), msisdn, attemptsRemaining
        console.log(`Infobip Verify PIN Response: Verified=${response.data.verified}, Attempts Left=${response.data.attemptsRemaining}`);
        return response.data.verified;
    } catch (error) {
        console.error(`Error verifying OTP via Infobip for pinId ${pinId}:`, error.response?.data || error.message);
         // Handle specific errors like PIN expired, not found, etc.
        if (error.response?.status === 400) {
            // Common client errors (wrong PIN, expired, max attempts)
            const serviceException = error.response.data?.requestError?.serviceException;
            if (serviceException) {
                console.warn(`Infobip Verification Error: ${serviceException.messageId} - ${serviceException.text}`);
                 // If PIN is incorrect ('PIN_INVALID'), the `verified` flag will be false, caught below.
                 // Re-throw specific errors that the route handler should know about (like expired)
                 if (serviceException.messageId === 'PIN_EXPIRED' || serviceException.messageId === 'PIN_NOT_FOUND' || serviceException.messageId === 'MAX_ATTEMPTS_EXCEEDED') {
                    throw error; // Let route handler provide specific message
                }
             }
            // Treat other 400s (like potentially wrong PIN if not caught above) as simply """"not verified""""
            return false;
        }
        // Rethrow unexpected errors (e.g., 5xx from Infobip, network errors) for server-level handling
        throw error;
    }
}

module.exports = {
    initialize,
    sendOtp,
    verifyOtp
};

Create .env File: Add your Infobip credentials and configuration here.

bash

# .env

# --- Server ---
PORT=3000

# --- Infobip Credentials ---
# Get these from your Infobip account dashboard (https://portal.infobip.com/)
# API Key Management section
INFOBIP_API_KEY=YOUR_ACTUAL_INFOBIP_API_KEY
INFOBIP_BASE_URL=YOUR_INFOBIP_ACCOUNT_BASE_URL # e.g., https://xyz123.api.infobip.com

# --- Infobip 2FA Configuration (Leave blank initially) ---
# After the first successful server start, the Application ID and Message ID will be logged
# to the console. Copy and paste those values here to prevent recreating them on every run.
# This is crucial for consistent behavior and avoiding duplicate resources in Infobip.
INFOBIP_APPLICATION_ID=
INFOBIP_MESSAGE_ID=

# --- Optional Infobip Configuration ---
# You can override the defaults in infobip.js by setting these variables
# INFOBIP_APP_NAME=""My Custom App Name""
# INFOBIP_SENDER_ID=""MySender"" # Ensure this sender is approved/valid in your region
# INFOBIP_MESSAGE_TEMPLATE=""Your code for My Custom App is {{pin}}.""

How to find INFOBIP_API_KEY and INFOBIP_BASE_URL:

Log in to your Infobip account: https://portal.infobip.com/
Your Base URL is usually visible on the homepage dashboard after logging in, often in an ""API"" section or code examples. It looks like https://<your-unique-id>.api.infobip.com.
Navigate to the ""API Key Management"" section (often under your account settings or Developer Tools).
Create a new API key if you don't have one. Copy the key value securely into your .env file. Treat this key like a password.

2. Implementing Core Functionality

The core logic is implemented within server.js (route handlers) and services/infobip.js (API interaction).

Key Implementation Details:

Infobip Service Initialization (initialize):
- On server startup, this function checks if INFOBIP_APPLICATION_ID and INFOBIP_MESSAGE_ID are present in the environment variables (.env).
- If not found, it calls the Infobip API to create a new 2FA Application and a Message Template within that application using the settings defined (or defaulted) in services/infobip.js.
- It logs the created IDs with clear instructions (ACTION REQUIRED) prompting you to add them to your .env file. This manual step is necessary for this example setup to prevent creating new apps/templates on every restart, which is inefficient, costly, and can clutter your Infobip account. A more advanced setup might use a separate one-time setup script.
- Why? Application and Message Template configurations define how OTPs are handled (length, expiry, rate limits, message text). These are typically static configurations for your application's 2FA use case.
Requesting OTP (/request-otp route, sendOtp service function):
- The route takes the phoneNumber from the request body.
- It calls infobipService.sendOtp, passing the phone number.
- The sendOtp function makes a POST request to Infobip's /2fa/2/pin endpoint, including the applicationId, messageId, and recipient number (to).
- Infobip handles generating the PIN and sending the SMS based on the template associated with the messageId.
- Infobip returns a pinId in the response. This pinId uniquely identifies this specific OTP request.
- Crucially: The server.js stores this pinId temporarily (in our demo otpStore), associating it with the phoneNumber. This in-memory store is NOT SUITABLE FOR PRODUCTION. In a real application, use secure server-side storage like Redis (with TTL), a database table (with TTL and cleanup), or encrypted session data linked to the user attempting verification. This is vital to link the subsequent verification step back to the correct OTP request and user session. The simple setTimeout cleanup in the example is also not robust for production.
Verifying OTP (/verify-otp route, verifyOtp service function):
- The route takes phoneNumber and the submitted otp code.
- It retrieves the pinId previously stored for that phoneNumber from the temporary store. If no pinId is found (e.g., expired, cleaned up, never requested, or server restarted with in-memory store), it returns an error.
- It calls infobipService.verifyOtp, passing the retrieved pinId and the user's submitted otp code.
- The verifyOtp function makes a POST request to Infobip's /2fa/2/pin/{pinId}/verify endpoint.
- Infobip checks if the provided otp matches the one generated for that pinId and if it's still valid (not expired, within attempt limits defined in the Application config).
- Infobip returns a response including a verified boolean flag.
- If verified is true, the route clears the stored pinId (it's been successfully used) and returns success. This is where you would typically update the user's status in your database (e.g., mark is_phone_verified = true).
- If verified is false or an error occurs (like PIN expired, which the service function identifies and potentially re-throws), it returns an appropriate error message.

Alternative Approaches:

Infobip SDKs: Infobip provides official SDKs for various languages (check their developer portal). These can abstract some of the direct axios calls and might offer convenience features. However, understanding the underlying API calls remains beneficial.
State Management: As emphasized above, replace the demo otpStore. Redis with key expiry is a common, performant choice. A database table with columns for pinId, phoneNumber (or userId), expiresAt, and isVerified is another solid option, requiring a background job or query condition to handle cleanup of expired entries.

3. Building a Complete API Layer

Our server.js already defines the basic API layer. Let's discuss enhancements for production.

Authentication/Authorization:
- The /request-otp endpoint might be public (e.g., during phone verification in registration) or require user authentication (e.g., if adding/verifying a phone for an existing logged-in user). Implement checks accordingly.
- The /verify-otp endpoint implicitly relies on the pinId being linked to the correct user session or initial request via your chosen state management. Ensure this link is secure and cannot be manipulated. If verifying a logged-in user, double-check the verification action is authorized for that specific user's session.

Request Validation: Prevent invalid or malicious data from hitting your core logic or the Infobip API.

Example using express-validator:

bash

npm install express-validator

javascript

// server.js (additions/modifications shown)
const { body, validationResult } = require('express-validator');
const express = require('express'); // Ensure express is required if not already
const infobipService = require('./services/infobip');
require('dotenv').config();

const app = express(); // Assuming app setup is here or imported
const PORT = process.env.PORT || 3000;

app.use(express.json());

// --- In-Memory Storage (DEMO ONLY) ---
const otpStore = {};
const setupOtpCleanup = (phoneNumber, pinId) =&gt; {
    setTimeout(() =&gt; {
        if (otpStore[phoneNumber] === pinId) {
            delete otpStore[phoneNumber];
            console.log(`Cleaned up expired/unused pinId for ${phoneNumber}`);
        }
    }, 10 * 60 * 1000); // 10 minutes
};


// --- Validation Middleware ---
const validatePhoneNumber = [
    body('phoneNumber')
      .trim()
      .notEmpty().withMessage('Phone number is required.')
      .isMobilePhone('any', { strictMode: false }).withMessage('Invalid phone number format. Include country code if necessary.'),
     // Consider adding custom validation for E.164 format if needed (using libphonenumber-js)
];

const validateVerification = [
    body('phoneNumber')
      .trim()
      .notEmpty().withMessage('Phone number is required.')
      .isMobilePhone('any', { strictMode: false }).withMessage('Invalid phone number format.'),
    body('otp')
      .trim()
      .notEmpty().withMessage('OTP is required.')
      .isLength({ min: 6, max: 6 }).withMessage('OTP must be exactly 6 digits.')
      .isNumeric().withMessage('OTP must contain only numbers.')
];

// --- Helper to handle validation results ---
const handleValidationErrors = (req, res, next) =&gt; {
    const errors = validationResult(req);
    if (!errors.isEmpty()) {
        return res.status(400).json({ success: false, errors: errors.array() });
    }
    next();
};

// --- Routes (with validation added) ---
app.post('/request-otp', validatePhoneNumber, handleValidationErrors, async (req, res) =&gt; {
    // ... (existing route logic)
    const { phoneNumber } = req.body; // Already validated

    try {
        console.log(`Requesting OTP for ${phoneNumber}`);
        const pinId = await infobipService.sendOtp(phoneNumber);
        console.log(`OTP request successful for ${phoneNumber}, pinId: ${pinId}`);
        otpStore[phoneNumber] = pinId;
        setupOtpCleanup(phoneNumber, pinId);
        res.status(200).json({ success: true, message: 'OTP sent successfully.' });
    } catch (error) {
        // ... (existing error handling)
        console.error('Error sending OTP:', error.response?.data || error.message);
        res.status(500).json({
            success: false,
            error: 'Failed to send OTP. Please try again later.',
            errorCode: error.response?.data?.requestError?.serviceException?.messageId || 'UNKNOWN_ERROR'
        });
    }
});

app.post('/verify-otp', validateVerification, handleValidationErrors, async (req, res) =&gt; {
    // ... (existing route logic)
    const { phoneNumber, otp } = req.body; // Already validated
    const pinId = otpStore[phoneNumber];

    if (!pinId) {
        // ... (existing handling for missing pinId)
        console.warn(`No active OTP request found for ${phoneNumber}.`);
        return res.status(400).json({ success: false, error: 'No active OTP request found or it has expired. Please request a new OTP.' });
    }

    try {
        // ... (existing verification logic)
        console.log(`Verifying OTP ${otp} for ${phoneNumber} with pinId ${pinId}`);
        const isVerified = await infobipService.verifyOtp(pinId, otp);

        if (isVerified) {
            // ... (existing success handling)
            console.log(`OTP verification successful for ${phoneNumber}`);
            delete otpStore[phoneNumber];
            res.status(200).json({ success: true, message: 'OTP verified successfully.' });
        } else {
            // ... (existing failure handling)
            console.warn(`OTP verification failed for ${phoneNumber}. Incorrect PIN.`);
            res.status(400).json({ success: false, error: 'Invalid OTP code.' });
        }
    } catch (error) {
        // ... (existing error handling, including specific error codes)
        console.error('Error verifying OTP:', error.response?.data || error.message);
        const errorCode = error.response?.data?.requestError?.serviceException?.messageId;
        let errorMessage = 'Failed to verify OTP. Please try again later.';
        // ... (logic for specific error messages based on errorCode)
         if (errorCode === 'TOO_MANY_REQUESTS') {
             errorMessage = 'Too many verification attempts. Please try again later.';
         } else if (errorCode === 'PIN_EXPIRED') {
            errorMessage = 'OTP code has expired. Please request a new one.';
            if (otpStore[phoneNumber] === pinId) delete otpStore[phoneNumber];
         } else if (errorCode === 'PIN_NOT_FOUND') {
            errorMessage = 'Invalid request. Please request a new OTP.';
            if (otpStore[phoneNumber] === pinId) delete otpStore[phoneNumber];
         }
        res.status(500).json({ success: false, error: errorMessage, errorCode: errorCode || 'UNKNOWN_ERROR' });
    }
});

// --- Start Server ---
app.listen(PORT, () =&gt; {
    console.log(`Server running on port ${PORT}`);
    infobipService.initialize()
      .then(() =&gt; console.log('Infobip service initialized.'))
      .catch(err =&gt; console.error('Failed to initialize Infobip service:', err));
});

Frequently Asked Questions

Use the Infobip API with a Node.js Express server. Create two endpoints: `/request-otp` to send the OTP and `/verify-otp` to validate it. This guide provides a step-by-step implementation for enhancing your application's security.

The Infobip API is the core service for generating, sending, and verifying OTPs via SMS. It handles the communication with the SMS gateway and manages PIN generation, validation, and expiry.

SMS OTP adds a strong layer of security by verifying user possession of a registered phone number. It helps protect against unauthorized access even if passwords are compromised.

Implement SMS OTP for sensitive actions like user registration, login, or any operation involving personal data or financial transactions. It's crucial for increasing security and building user trust.

While this guide focuses on Infobip, the general principles apply to other providers. You'll need to adapt the API calls and configuration specific to your chosen provider's documentation.

Make a POST request to Infobip's `/2fa/2/pin` endpoint, providing your Application ID, Message ID, and the user's phone number. Infobip will generate the OTP, send the SMS, and return a `pinId` for verification.

The `pinId` uniquely identifies each OTP request. It's crucial to store this securely on the server-side and associate it with the user's phone number or session for proper verification.

Send a POST request to Infobip's `/2fa/2/pin/{pinId}/verify` endpoint, including the OTP code entered by the user. Infobip will respond with a 'verified' flag indicating whether the code is correct and valid.

You need Node.js and npm, an active Infobip account, a registered phone number for testing, and a basic understanding of Node.js, Express, APIs, and asynchronous JavaScript.

In-memory storage is not suitable for production as it's not persistent, not scalable, and prone to data loss if the server restarts. Use a persistent data store like Redis or a database with TTL (Time To Live) for storing OTP data.

Use a persistent and secure data store like Redis with key expiry or a database table with fields for `pinId`, `phoneNumber`, `expiresAt`, and `isVerified`. Implement proper cleanup mechanisms for expired entries.

You'll primarily need `express`, `axios`, and `dotenv`. Optionally, use `express-validator` for input validation and `express-rate-limit` for security against brute-force attacks.

Log into your Infobip account at https://portal.infobip.com/. Your base URL is often visible on the dashboard, and the API key can be found in the API Key Management section under account settings or Developer Tools. Treat your API key like a password; keep it secure.

The guide recommends a structure with folders for `node_modules` and `services`, files like `.env`, `.gitignore`, `package.json`, and your main server file (`server.js`), keeping the project organized and maintainable.

Project Overview and Goals

1. Setting up the Project

2. Implementing Core Functionality

3. Building a Complete API Layer

Frequently Asked Questions

How to implement 2FA with SMS OTP in Node.js?

What is the Infobip API used for in this tutorial?

Why use SMS OTP for two-factor authentication?

When should I implement SMS OTP verification?

Can I use a different SMS provider with this setup?

How to send OTP SMS messages with Infobip?

What is the purpose of the `pinId` from Infobip?

How to verify the OTP code with Infobip API?

What are the prerequisites for setting up OTP verification?

Why shouldn't I use in-memory storage for OTP data?

How to store OTP data securely in production?

What are the Node.js dependencies for implementing Infobip OTP?

Where can I find my Infobip API key and base URL?

What is the project structure for this Infobip OTP guide?