Best practices for OTP-based login & downloading files?

[deadcoder0904]

I have created a Next.js project with simple API routes 🤜 https://github.com/deadcoder0904/nextjs-rate-limit

But I have doubts on the request & points I'm using.

So would love to know what are the best practices on these routes.

Not expecting to get rate limited but if I do, would love some simple parameters.

Only have 2 different routes that matter:

1. Email-based login & OTP-based Verify Email (both probably require the same rate limit strategy) -> https://github.com/deadcoder0904/nextjs-rate-limit/blob/main/src/app/api/login/route.ts
2. Downloading a file -> https://github.com/deadcoder0904/nextjs-rate-limit/blob/main/src/app/api/download/route.ts

I made this small project to mimic my real-world scenario.

Would definitely love to know what should I put in those numbers?

I have read the Wiki examples & tried making the complex scenarios but I think it is premature optimization for my early-stage product so just need something simple yet effective.

PS: Lmk if I'm doing anything wrong in my project. If it's good enough, you can put it in the Wiki itself as it lacks Next.js specific examples.

[animir]

@deadcoder0904 Hi

1. I usually allow 10 attempts for email-based login and then block for 15 minutes.
2. OTP-based verification should allow no more than 3 attempts. After the third attempt a new OTP should be sent.
3. To decide what rate limit should be on the Download a file endpoint, you should analyze your files. There is no best practice, but understanding what your server should and can handle if somebody tries to DDoS it with many file downloads. You can also limit by the total size of files user can download per hour/day.

[deadcoder0904]

regarding 3, i'm using cloudflare r2. won't they handle that already?

[animir]

If your files are served from Cloudflare, then you don't need to rate limit that.

[deadcoder0904]

well i thought so too but wasn't sure. i guess i need just 1 rate-limit endpoint now. probably 2 if i use different logic for otp.

[animir]

@deadcoder0904 Could you provide an example of Next.js code? I would add to Wiki to a separate page.

[deadcoder0904]

the full repo is at https://github.com/deadcoder0904/nextjs-rate-limit/ (everything inside api/ folder, i.e, files named route.ts use rate-limiter-flexible & perhaps a redis client)