Explanation
I have an API running on Laravel 5.8 that uses Nexmo Verify API in order to send a code by SMS for two things :
- (1) User account creation (check phone number before creating the account)
- (2) Forgotten password (check code sent before entering a new password)
This PHP API is used by an iOS Application and an Android Application.
In the first case (1), I have to check that the phone number does not exist before sending a SMS.
In the second case (2), I have to check that the phone number exists before sending a SMS.
So, I may have two API routes :
- One checks if a phone number already exists, so that the mobile applications can display the next page or display an error.
- The other one simply sends a sms code to a phone number.
Problem
The problem is that we can have a route that looks like /api/phone/sendcode
and anyone can call this route directly without using the mobile application if they find what the endpoint is (it's just an API after all). It can be easy to use this route to spam.
Or, they also could call a route api/phone/exists
tons of time to try to get all existing users.
Question
How can I secure the endpoints in order to avoid people using them directly to SPAM or to check in a loop if an account exists ?
I already have a throttling system to block a specific IP address to request an endpoint more that X times in a minute, but I think this is not enough and can be bypassed (using a proxy or whatever).
Also, I prefer to avoid using Captcha.