Cryptographically Weak

[prathamtagad]

File: userAuth.controller.js

OTPs are generated using Math.random(), which is not cryptographically secure. An attacker who can predict the RNG state could forge OTPs.

const otp = Math.floor(100000 + Math.random() * 900000).toString();

The dashboard-api already uses crypto.randomInt() in auth.controller.js,
The public-api should follow the same pattern for consistency and security.

[yash-pouranik]

@prathamtagad Helloooooooooooo
One good news that urbackend is listed in NSOC'26'Project-list So If you want to get Recognize or to be active in Open source community? you can register at NSOC'26
Let me know if you are joining? if yes then we will review ur PR after 15April i.e. contribution Period in NSOC. Just let me know.

[prathamtagad]

yes sure, I'm joining rn!

[yash-pouranik]

@prathamtagad Just let me know when you have registered. If any issue persists u can ping me