Login and Verify with only phone number using Nexmo or Twilio

This is an authentication flow, which logs in the user with only the phone number provided (Whatsapp style). The Steps are:

  • User enters phone number and sent to server.
  • Server generated 4 digit random key, and save the pair (phone,key) in DB.
  • Server asks 3rd party SMS service to send key to phone.
  • SMS service sends message.
  • User enters the key from sms, and together with phone, sent to server.
  • Server checks the pair against the DB.
  • If pair exists, server sends back a token for further calls.
  • 在这里输入图像描述

    What I am trying to understand is where services like Twilio and Nexmo fit in (or replace parts of the flow).

    From what I understand, looking at Nexmo for example, I can replace steps 2 and 3 with an API call to:
    https://api.nexmo.com/verify/
    and save the request_id from the response in the DB as pair (phone,request_id).
    And now, when the user enters a 4 digit code and sends it back,
    I need to call:
    https://api.nexmo.com/verify/check/json
    providing it with request_id and code.

    But where do I get the request_id?
    Do the server needs to send it back to the client, the moment it gets it from Nexmo?
    I can't see the benefits of using Nexmo here, what will it save me?


    Answer to your first question: the request_id is part of the response to the first verify API call. See: https://docs.nexmo.com/index.php/verify/verify

    As to what are the benefits of Nexmo here, I believe you have two options:

  • Generate your own code, use Nexmo to text it to your user, have the user submit the code back to your application, verify code against your own database.
  • Use Nexmo verify service to generate and send the code to the user, store the returned request_id in your db, have user submit code to your application, call Nexmo verify API to validate code.
  • In some ways the first option is easier as it is less API calls. However the benefit of the second option, using Nexmo Verify, is that they provide a whole lot more capabilities into the service to fall back to a voice call if SMS isn't working, filter out virtual phone numbers to prevent spam, you don't have to pay for failed SMS attempts, reporting/analytics, etc. etc.

    Hopefully that helps a little.

    链接地址: http://www.djcxy.com/p/33094.html

    上一篇: Laravel 5中间件与角路由

    下一篇: 使用Nexmo或Twilio仅使用电话号码进行登录和验证