The latest articles on DEV Community by Deval Ujeniya (@devalujeniya). https://dev.to/devalujeniya https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3941574%2Fdeaa0b62-b352-49a0-858b-079f89c87887.jpeg https://dev.to/devalujeniya en Deval Ujeniya Wed, 20 May 2026 07:16:59 +0000 https://dev.to/devalujeniya/i-built-an-otp-system-with-redis-then-realized-ttl-wasnt-enough-4jla https://dev.to/devalujeniya/i-built-an-otp-system-with-redis-then-realized-ttl-wasnt-enough-4jla <p>I thought this would be a simple backend task.</p> <p>Generate OTP → Store in Redis → Add expiration → Verify user.</p> <p>Done.</p> <p>My first implementation looked like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span> <span class="nf">otpKey</span><span class="p">(</span><span class="nx">phone</span><span class="p">),</span> <span class="nx">otp</span><span class="p">,</span> <span class="dl">"</span><span class="s2">EX</span><span class="dl">"</span><span class="p">,</span> <span class="mi">60</span> <span class="p">);</span> </code></pre> </div> <p>OTP expires after <strong>60 seconds</strong>.</p> <p>Looks perfect.</p> <p>Until I asked myself:</p> <blockquote> <p>What actually stops someone from guessing forever?</p> </blockquote> <p>Nothing 😭</p> <p>Someone could still keep trying:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>123456 111111 999999 000000 654321 222222 </code></pre> </div> <p>The OTP expires.</p> <p>Brute force attempts do not.</p> <p>That was the moment I realized:</p> <p><strong>TTL solves expiration.<br> TTL does NOT solve security.</strong></p> <h2> Version 1: Store Only OTP </h2> <p>Initially Redis stored only:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="s2">"123456"</span><span class="w"> </span></code></pre> </div> <p>Simple.</p> <p>But there was no information about:</p> <ul> <li>Failed attempts</li> <li>Blocking state</li> <li>Verification behavior</li> <li>Security tracking</li> </ul> <p>So I changed the design.</p> <p>Instead of storing only the OTP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"otp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"123456"</span><span class="p">,</span><span class="w"> </span><span class="nl">"attempts"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"maxAttempts"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"blockedUntil"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Redis stopped feeling like cache.</p> <p>It started acting like a lightweight state engine.</p> <h2> Adding Brute Force Protection </h2> <p>Wrong OTP?</p> <p>Increase attempts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">otpData</span><span class="p">.</span><span class="nx">attempts</span><span class="o">++</span><span class="p">;</span> </code></pre> </div> <p>After 3 failures:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">otpData</span><span class="p">.</span><span class="nx">blockedUntil</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="mi">60000</span><span class="p">;</span> </code></pre> </div> <p>Users are blocked for <strong>60 seconds</strong>.</p> <p>Problem solved.</p> <p>Or at least…</p> <p>That’s what I thought 😭</p> <h2> The Redis Bug I Didn’t Expect </h2> <p>When verification failed I updated Redis:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span> <span class="nf">otpKey</span><span class="p">(</span><span class="nx">phone</span><span class="p">),</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span> <span class="nx">otpData</span> <span class="p">),</span> <span class="dl">"</span><span class="s2">EX</span><span class="dl">"</span><span class="p">,</span> <span class="mi">60</span> <span class="p">);</span> </code></pre> </div> <p>Looks harmless.</p> <p>But there was a hidden problem.</p> <p>Imagine this:</p> <ul> <li>OTP created</li> <li>TTL = 60 sec</li> <li>User fails at second 55</li> <li>Redis updates state</li> <li>TTL becomes 60 again</li> </ul> <p>The OTP suddenly lives longer.</p> <p>I accidentally extended authentication lifetime after every failed attempt.</p> <p>Not ideal.</p> <h2> The Fix </h2> <p>Before updating Redis:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">ttl</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">ttl</span><span class="p">(</span> <span class="nf">otpKey</span><span class="p">(</span><span class="nx">phone</span><span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p>Reuse remaining TTL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span> <span class="nf">otpKey</span><span class="p">(</span><span class="nx">phone</span><span class="p">),</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span> <span class="nx">otpData</span> <span class="p">),</span> <span class="dl">"</span><span class="s2">EX</span><span class="dl">"</span><span class="p">,</span> <span class="nx">ttl</span> <span class="p">);</span> </code></pre> </div> <p>Now:</p> <ul> <li>OTP created → 60 sec</li> <li>User fails at second 55</li> <li>Remaining TTL = 5</li> <li>Redis update keeps TTL = 5</li> </ul> <p>Expiration stays correct ✅</p> <h2> Biggest Lesson From This Project </h2> <p>I started with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Redis = Cache </code></pre> </div> <p>I finished with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Redis = State Engine </code></pre> </div> <p>TTL → Expiration</p> <p>Attempts → Security</p> <p>Blocking → Authentication logic</p> <p>Redis became part of application behavior.</p> <p>That was the biggest lesson.</p> <h2> Things I Want To Improve Next </h2> <h3> 1. Rate limiting per IP </h3> <p>Prevent OTP spam.</p> <h3> 2. Redis Hashes </h3> <p>Avoid rewriting entire JSON objects.</p> <h3> 3. Atomic updates </h3> <p>Current flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GET ↓ Modify ↓ SET </code></pre> </div> <p>Possible improvements:</p> <ul> <li>Transactions</li> <li>WATCH / MULTI</li> <li>Lua scripts</li> </ul> <h3> 4. Handle race conditions </h3> <p>Two verification requests arriving together could create inconsistent state.</p> <h3> 5. Add resend cooldown </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Send OTP ↓ Wait 30 sec ↓ Allow resend </code></pre> </div> <h2> Final Thought </h2> <p>I started building:</p> <p><strong>OTP + Redis + TTL</strong></p> <p>I ended up learning:</p> <ul> <li>Authentication design</li> <li>State management</li> <li>Expiration handling</li> <li>Brute-force protection</li> <li>Backend security</li> </ul> <p>Small project.</p> <p>Big Redis lesson.</p> <p><strong>Day 2 of learning Redis 🚀</strong></p> <p>If you’ve built OTP systems before:</p> <p>Would you keep state in Redis?</p> <p>Or move some logic elsewhere?</p> redis node security javascript