Sinch SMS 2FA with Node.js & Express: Complete OTP Implementation Guide - Integration Guides - Sinch, Node.js, Express, 2FA, Two-Factor Authentication, OTP, SMS Verification, Sinch Verification API, Sequelize, PostgreSQL, bcrypt, Security, REST API

How to Implement SMS Two-Factor Authentication with Sinch, Node.js & Express

Introduction

Implement SMS-based two-factor authentication (2FA) in your Node.js application using Sinch's Verification API and Express framework. Two-factor authentication adds a critical security layer to user logins, significantly reducing unauthorized access risk by combining password credentials with phone verification.

One-time passwords (OTP) delivered via SMS or voice call provide user-friendly 2FA that balances security and convenience. This comprehensive guide demonstrates step-by-step integration of Sinch's Verification API into a Node.js and Express backend for robust OTP-based authentication. You'll build a complete system where users register with phone numbers, log in with credentials, and verify their identity using Sinch-delivered OTP before gaining full access.

What Will You Build with This Tutorial?

Create a production-ready authentication system with these features:

  • Node.js and Express REST API backend application
  • User registration with phone number capture and E.164 validation
  • Login process requiring email and password credentials
  • Second-factor verification using Sinch SMS or voice OTP
  • Complete API endpoints for registration, login, OTP request, and OTP verification
  • Secure password hashing with bcrypt 5.0.0+
  • PostgreSQL database with Sequelize ORM for user data persistence
  • Rate limiting and security middleware for production readiness

Security Problem Solved:

This implementation addresses password-only authentication vulnerabilities by adding a possession factor (the user's verified phone number) to the authentication process, implementing true multi-factor authentication that significantly reduces account takeover risk.

What Technologies and Requirements Do You Need?

Core Technologies (Verified January 2025):

  • Node.js 18.18.0+: JavaScript runtime environment. Express requires Node.js 18 or higher. Recommend Node.js 20 LTS "Iron" (Maintenance LTS until April 2026) or Node.js 22 LTS "Jod" (Active LTS until October 2027) as Node.js 18 LTS "Hydrogen" ended support March 2025.
  • Express 4.x+: Minimalist web framework for Node.js. Latest stable version requires Node.js 18 or higher.
  • Sinch Verification API: Cloud service for sending and verifying OTP codes via SMS and voice, handling global delivery complexities and secure code generation.
  • PostgreSQL with Sequelize 6.x: Relational database and ORM for persistent user data storage. Sequelize 6.x supports PostgreSQL, MySQL, MariaDB, SQLite, Microsoft SQL Server, and Snowflake.
  • bcrypt 5.0.0+: Password hashing library. Version 5.0.0 or higher required to avoid critical security vulnerabilities. Bcrypt < 5.0.0 suffers from wrap-around bug (truncates passwords >= 255 characters) and NUL character handling issues. Node.js 12+ requires bcrypt >= 3.0.6.

Supporting Libraries:

  • dotenv: Environment variable management from .env file
  • express-validator: Input validation and sanitization middleware
  • Helmet: Security middleware for HTTP header protection
  • express-rate-limit: Rate limiting middleware for brute-force attack prevention
  • axios: Promise-based HTTP client for Sinch API requests
  • libphonenumber-js: Phone number parsing, validation, and E.164 formatting library
  • pino: Fast, low-overhead JSON logger for production environments

System Architecture:

mermaid
graph LR
    A[User Browser/Client] -- HTTP Request --&gt; B(Node.js/Express API);
    B -- Register/Login Data --&gt; C{Database (PostgreSQL)};
    B -- Request OTP --&gt; D(Sinch Verification API);
    D -- Send OTP --&gt; E[User's Phone (SMS/Voice)];
    A -- Submit OTP --&gt; B;
    B -- Verify OTP --&gt; D;
    D -- Verification Result --&gt; B;
    B -- Update User Status/Session --&gt; C;
    B -- Success/Failure Response --&gt; A;

    style B fill:#f9f,stroke:#333,stroke-width:2px
    style D fill:#ccf,stroke:#333,stroke-width:2px
    style C fill:#9cf,stroke:#333,stroke-width:2px

What Are the Prerequisites for This Tutorial?

Before starting, ensure you have:

  • Node.js 18.18.0+ and npm (or yarn) installed. Verify with node --version and npm --version.
  • PostgreSQL server running locally or accessible remotely. You must create the database specified in your .env file before running migrations.
  • A Sinch account with API credentials (Application Key and Application Secret). Sign up at https://www.sinch.com/.
  • Basic understanding of JavaScript, Node.js, Express, REST APIs, and SQL databases.
  • A code editor (e.g., VS Code, WebStorm).
  • An API testing tool (e.g., Postman, Insomnia, curl).

What You'll Learn:

By completing this guide, you will have a functional backend API capable of:

  • Registering users with validated phone numbers
  • Authenticating users with email and password
  • Requiring Sinch-powered OTP verification for enhanced security
  • Implementing error handling, security middleware, structured logging, and database management
  • Following production-ready patterns for Node.js authentication systems

Technology Verification Date: All technology versions and requirements verified as of January 2025. Check official documentation for latest releases.

How to Set Up Your Node.js Project

Initialize your Node.js project and install all required dependencies for SMS-based two-factor authentication.

Step 1: Create Project Directory and Initialize

Open your terminal and run the following commands:

bash
mkdir node-sinch-otp-2fa
cd node-sinch-otp-2fa
npm init -y

This creates a new directory, navigates into it, and initializes a package.json file with default settings.

Step 2: Install Dependencies

Install the core dependencies for Express, database interaction, security, environment variables, HTTP requests, logging, and phone number validation:

bash
npm install express pg sequelize bcrypt dotenv express-validator helmet express-rate-limit axios pino libphonenumber-js
  • express: The web framework.
  • pg: PostgreSQL client for Node.js (used by Sequelize).
  • sequelize: ORM for Node.js.
  • bcrypt: Password hashing library.
  • dotenv: Loads environment variables from .env.
  • express-validator: Input validation middleware.
  • helmet: Security header middleware.
  • express-rate-limit: Request rate limiting middleware.
  • axios: HTTP client for Sinch API calls.
  • pino: Logger.
  • libphonenumber-js: Phone number validation/formatting.

Step 3: Install Development Dependencies

Install nodemon for automatic server restarts, sequelize-cli for migrations, and pino-pretty for human-readable logs during development:

bash
npm install --save-dev nodemon sequelize-cli pino-pretty

Step 4: Configure package.json Scripts

Add scripts to your package.json for starting the server and running migrations:

json
{
  ""name"": ""node-sinch-otp-2fa"",
  ""version"": ""1.0.0"",
  ""description"": """",
  ""main"": ""src/index.js"",
  ""scripts"": {
    ""start"": ""node src/index.js"",
    ""dev"": ""nodemon src/index.js | pino-pretty"",
    ""db:migrate"": ""npx sequelize-cli db:migrate --config src/config/config.json --migrations-path src/database/migrations --seeders-path src/database/seeders"",
    ""db:migrate:undo"": ""npx sequelize-cli db:migrate:undo --config src/config/config.json --migrations-path src/database/migrations --seeders-path src/database/seeders"",
    ""db:model:create"": ""npx sequelize-cli model:generate --config src/config/config.json --migrations-path src/database/migrations --models-path src/database/models"",
    ""test"": ""echo \""Error: no test specified\"" && exit 1""
  },
  ""keywords"": [],
  ""author"": """",
  ""license"": ""ISC"",
  ""dependencies"": {
    ""axios"": ""^..."",
    ""bcrypt"": ""^..."",
    ""dotenv"": ""^..."",
    ""express"": ""^..."",
    ""express-rate-limit"": ""^..."",
    ""express-validator"": ""^..."",
    ""helmet"": ""^..."",
    ""libphonenumber-js"": ""^..."",
    ""pg"": ""^..."",
    ""pino"": ""^..."",
    ""sequelize"": ""^...""
  },
  ""devDependencies"": {
    ""nodemon"": ""^..."",
    ""pino-pretty"": ""^..."",
    ""sequelize-cli"": ""^...""
  }
}

Note: Replace ^... with the actual versions installed. Ensure ""main"" points to your entry file.

Step 5: Create Project Structure

Organize your project with the following folder structure:

node-sinch-otp-2fa/
├── node_modules/
├── src/
│   ├── config/         # Configuration files (DB, etc.)
│   ├── controllers/    # Request handlers
│   ├── database/       # Migrations, seeders, models
│   │   ├── migrations/
│   │   ├── models/
│   │   └── seeders/    # Optional: for sample data
│   ├── middleware/     # Custom middleware (auth, validation, error)
│   ├── routes/         # API route definitions
│   ├── services/       # Business logic
│   ├── utils/          # Utility functions (logging, etc.)
│   └── index.js        # Main application entry point
├── .env                # Environment variables (DO NOT COMMIT)
├── .gitignore          # Files/folders to ignore in Git
├── package-lock.json
└── package.json

Create these directories:

bash
mkdir -p src/config src/controllers src/database/migrations src/database/models src/database/seeders src/middleware src/routes src/services src/utils
touch src/index.js .env .gitignore src/utils/logger.js

Step 6: Configure .gitignore

Add node_modules, .env, and log files to your .gitignore file:

# .gitignore

node_modules/
.env
*.log

Step 7: Set Up Environment Variables (.env)

Create the .env file in the project root and add initial configuration. We will add Sinch keys later.

bash
# .env

# Server Configuration
NODE_ENV=development
PORT=3000
BASE_URL=http://localhost:3000
LOG_LEVEL=debug # Use 'info' or 'warn' in production

# Database Configuration (Update with your credentials)
DB_HOST=localhost
DB_PORT=5432
DB_USER=your_postgres_user
DB_PASSWORD=your_postgres_password
DB_NAME=sinch_otp_db
DB_DIALECT=postgres

# Security
PASSWORD_SALT_ROUNDS=10 # bcrypt salt rounds
# JWT_SECRET=your_super_secret_jwt_key_here # Uncomment and set when implementing JWT

# Rate Limiting (Example: 100 requests per 15 minutes per IP)
RATE_LIMIT_WINDOW_MS=900000 # 15 * 60 * 1000
RATE_LIMIT_MAX_REQUESTS=100

# Sinch API Credentials (Add these later)
# SINCH_APP_KEY=
# SINCH_APP_SECRET=
# SINCH_VERIFICATION_METHOD=sms # or 'callout' for voice

Important: Replace your_postgres_user and your_postgres_password with your actual PostgreSQL credentials. Crucially, you must manually create the database named sinch_otp_db (or whatever you set DB_NAME to) in your PostgreSQL instance before proceeding. Tools like createdb sinch_otp_db (if psql CLI is installed) or a GUI like pgAdmin can be used.

Step 8: Configure Logger (src/utils/logger.js)

Set up the Pino logger.

javascript
// src/utils/logger.js
const pino = require('pino');

const logger = pino({
  level: process.env.LOG_LEVEL || (process.env.NODE_ENV === 'production' ? 'info' : 'debug'),
  // Use default JSON output in production, pretty print in development via package.json script
});

module.exports = logger;

Step 9: Basic Server Setup (src/index.js)

Create a minimal Express server using the logger.

javascript
// src/index.js
require('dotenv').config(); // Load .env variables first
const express = require('express');
const helmet = require('helmet');
const rateLimit = require('express-rate-limit');
const logger = require('./utils/logger'); // Import logger
const mainRouter = require('./routes'); // Assuming routes/index.js exists
const errorHandler = require('./middleware/errorHandler'); // Assuming middleware/errorHandler.js exists
const { sequelize } = require('./database/models'); // Import sequelize instance

const app = express();
const port = process.env.PORT || 3000;

// --- Middleware ---

// Security Headers
app.use(helmet());

// Rate Limiting
const limiter = rateLimit({
    windowMs: parseInt(process.env.RATE_LIMIT_WINDOW_MS, 10),
    max: parseInt(process.env.RATE_LIMIT_MAX_REQUESTS, 10),
    standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
    legacyHeaders: false, // Disable the `X-RateLimit-*` headers
    message: 'Too many requests from this IP, please try again after 15 minutes',
});
app.use(limiter);

// Body Parsers
app.use(express.json()); // Parse JSON bodies
app.use(express.urlencoded({ extended: true })); // Parse URL-encoded bodies

// --- Routes ---
app.get('/health', (req, res) =&gt; res.status(200).json({ status: 'UP', timestamp: new Date().toISOString() }));
app.use('/api/v1', mainRouter); // Mount main router under /api/v1

// --- Error Handling ---
app.use(errorHandler); // Central error handler

// --- Server Startup with DB Connection ---
async function startServer() {
    try {
        await sequelize.authenticate();
        logger.info('Database connection established successfully.');

        // Optional: Sync models during development (Use migrations in production)
        // if (process.env.NODE_ENV === 'development') {
        //      await sequelize.sync({ alter: true }); // Be careful with alter: true
        //      logger.info('Models synchronized with database.');
        // }

        app.listen(port, () =&gt; {
            logger.info(`Server running on ${process.env.BASE_URL}`);
            logger.info(`Current environment: ${process.env.NODE_ENV}`);
        });
    } catch (error) {
        logger.error('Unable to connect to the database:', error);
        process.exit(1); // Exit if DB connection fails
    }
}

startServer(); // Call the async function

module.exports = app; // Export for potential testing

Step 10: Set Up Main Router (src/routes/index.js)

Create a placeholder main router.

javascript
// src/routes/index.js
const express = require('express');
const authRouter = require('./auth.routes'); // We will create this
const logger = require('../utils/logger');

const router = express.Router();

router.use('/auth', authRouter);
// Add other resource routers here (e.g., router.use('/users', userRouter);)

// Catch-all for undefined API routes within /api/v1
router.use('*', (req, res) =&gt; {
    logger.warn(`404 Not Found: ${req.method} ${req.originalUrl}`);
    res.status(404).json({ message: 'API endpoint not found' });
});


module.exports = router;

Step 11: Set Up Placeholder Auth Routes (src/routes/auth.routes.js)

javascript
// src/routes/auth.routes.js
const express = require('express');
// const authController = require('../controllers/auth.controller'); // We'll create this

const router = express.Router();

// Placeholder routes - implementation comes later
router.post('/register', (req, res) =&gt; res.status(501).json({ message: 'Register endpoint not implemented yet' }));
router.post('/login', (req, res) =&gt; res.status(501).json({ message: 'Login endpoint not implemented yet' }));
router.post('/request-otp', (req, res) =&gt; res.status(501).json({ message: 'Request OTP endpoint not implemented yet' }));
router.post('/verify-otp', (req, res) =&gt; res.status(501).json({ message: 'Verify OTP endpoint not implemented yet' }));

module.exports = router;

Step 12: Basic Error Handler (src/middleware/errorHandler.js)

Create a simple centralized error handler using the logger.

javascript
// src/middleware/errorHandler.js
const logger = require('../utils/logger');

const errorHandler = (err, req, res, next) =&gt; {
    // Log the full error for debugging, including request info if helpful
    logger.error({
        message: err.message,
        stack: err.stack,
        statusCode: err.statusCode,
        url: req.originalUrl,
        method: req.method,
        ip: req.ip,
    }, 'Unhandled Error');

    const statusCode = err.statusCode || 500;
    const message = err.message || 'Internal Server Error';

    // Send a generic error response to the client
    res.status(statusCode).json({
        status: 'error',
        statusCode,
        message: process.env.NODE_ENV === 'production' && statusCode === 500
                 ? 'An unexpected error occurred' // Don't leak details in production
                 : message,
    });
};

module.exports = errorHandler;

Step 13: Run the Server

Start the development server:

bash
npm run dev

You should see log output like Server running on http://localhost:3000 in your console. Test the health check endpoint: http://localhost:3000/health. Accessing other /api/v1 routes should return 404 or 501.

Implementing Core Functionality (User Registration & Login)

Now, let's build the basic user registration and login functionality, including password hashing.

Step 1: Set Up Sequelize

Initialize Sequelize configuration:

bash
# If not already in project root, cd node-sinch-otp-2fa
npx sequelize-cli init

This creates config/config.json, models/index.js, migrations/, seeders/. Move these into the src/database directory structure we created earlier, adjusting paths as needed. Or, configure paths using a .sequelizerc file in the project root:

javascript
// .sequelizerc
const path = require('path');

module.exports = {
  'config': path.resolve('src', 'config', 'config.json'),
  'models-path': path.resolve('src', 'database', 'models'),
  'seeders-path': path.resolve('src', 'database', 'seeders'),
  'migrations-path': path.resolve('src', 'database', 'migrations')
};

Now, re-run npx sequelize-cli init if you created .sequelizerc first, or manually move the generated files.

Modify src/config/config.json to use environment variables:

json
// src/config/config.json
require('dotenv').config({ path: '../../.env' }); // Load .env from root

module.exports = {
  ""development"": {
    ""username"": process.env.DB_USER,
    ""password"": process.env.DB_PASSWORD,
    ""database"": process.env.DB_NAME,
    ""host"": process.env.DB_HOST,
    ""port"": process.env.DB_PORT,
    ""dialect"": process.env.DB_DIALECT
  },
  ""test"": {
    ""username"": process.env.DB_USER,
    ""password"": process.env.DB_PASSWORD,
    ""database"": `${process.env.DB_NAME}_test`,
    ""host"": process.env.DB_HOST,
    ""port"": process.env.DB_PORT,
    ""dialect"": process.env.DB_DIALECT,
    ""logging"": false
  },
  ""production"": {
    ""username"": process.env.DB_USER_PROD || process.env.DB_USER,
    ""password"": process.env.DB_PASSWORD_PROD || process.env.DB_PASSWORD,
    ""database"": process.env.DB_NAME_PROD || process.env.DB_NAME,
    ""host"": process.env.DB_HOST_PROD || process.env.DB_HOST,
    ""port"": process.env.DB_PORT_PROD || process.env.DB_PORT,
    ""dialect"": process.env.DB_DIALECT,
    ""logging"": false
  }
}

Note: The logging function using Pino was removed from the JSON as functions are not standard JSON. Logging can be configured when initializing Sequelize if needed.

Step 2: Create User Model and Migration

Generate the User model and its corresponding migration file (using the script from package.json):

bash
npm run db:model:create -- --name User --attributes email:string,password:string,phoneNumber:string,isVerified:boolean,sinchVerificationId:string,otpSecret:string,lastOtpSentAt:date

Edit the generated migration file in src/database/migrations/. Ensure fields are correctly configured.

javascript
// Example: src/database/migrations/YYYYMMDDHHMMSS-create-user.js
'use strict';
/** @type {import('sequelize-cli').Migration} */
module.exports = {
  async up(queryInterface, Sequelize) {
    await queryInterface.createTable('Users', {
      id: {
        allowNull: false,
        autoIncrement: true,
        primaryKey: true,
        type: Sequelize.INTEGER
      },
      email: {
        type: Sequelize.STRING,
        allowNull: false,
        unique: true,
        validate: {
          isEmail: true,
        }
      },
      password: {
        type: Sequelize.STRING,
        allowNull: false
      },
      phoneNumber: {
        type: Sequelize.STRING, // Store in E.164 format
        allowNull: false,
        unique: true
      },
      isVerified: {
        type: Sequelize.BOOLEAN,
        allowNull: false,
        defaultValue: false // Users start as unverified
      },
      sinchVerificationId: { // Store temp ID from Sinch verify request
        type: Sequelize.STRING,
        allowNull: true
      },
      otpSecret: { // For potential TOTP authenticator app support
        type: Sequelize.STRING,
        allowNull: true
      },
      lastOtpSentAt: { // For rate limiting OTP requests
        type: Sequelize.DATE,
        allowNull: true
      },
      createdAt: {
        allowNull: false,
        type: Sequelize.DATE,
        defaultValue: Sequelize.literal('CURRENT_TIMESTAMP')
      },
      updatedAt: {
        allowNull: false,
        type: Sequelize.DATE,
        defaultValue: Sequelize.literal('CURRENT_TIMESTAMP')
      }
    });
     // Add indexes for frequently queried columns
     await queryInterface.addIndex('Users', ['email']);
     await queryInterface.addIndex('Users', ['phoneNumber']);
  },
  async down(queryInterface, Sequelize) {
    await queryInterface.dropTable('Users');
  }
};

Edit the corresponding model file src/database/models/user.js to add instance methods and hooks.

javascript
// src/database/models/user.js
'use strict';
const { Model } = require('sequelize');
const bcrypt = require('bcrypt');
const logger = require('../../utils/logger'); // Use logger for hook errors

module.exports = (sequelize, DataTypes) =&gt; {
  class User extends Model {
    // Instance method to compare password
    async isValidPassword(password) {
      return bcrypt.compare(password, this.password);
    }

    static associate(models) {
      // define association here if needed
    }
  }
  User.init({
    email: {
      type: DataTypes.STRING,
      allowNull: false,
      unique: true,
      validate: {
        isEmail: true,
      }
    },
    password: {
      type: DataTypes.STRING,
      allowNull: false
    },
    phoneNumber: {
      type: DataTypes.STRING,
      allowNull: false,
      unique: true
      // Validation using libphonenumber-js should happen before saving
    },
    isVerified: {
      type: DataTypes.BOOLEAN,
      allowNull: false,
      defaultValue: false
    },
    sinchVerificationId: {
      type: DataTypes.STRING,
      allowNull: true
    },
    otpSecret: {
      type: DataTypes.STRING,
      allowNull: true
    },
    lastOtpSentAt: {
      type: DataTypes.DATE,
      allowNull: true
    }
  }, {
    sequelize,
    modelName: 'User',
    hooks: {
      // Hash password before saving user
      beforeCreate: async (user, options) =&gt; {
        if (user.password) {
          try {
            const saltRounds = parseInt(process.env.PASSWORD_SALT_ROUNDS, 10);
            user.password = await bcrypt.hash(user.password, saltRounds);
          } catch (error) {
             logger.error('Error hashing password during beforeCreate hook', error);
             throw error; // Prevent user creation if hashing fails
          }
        }
      },
      // Optionally hash password on update if it changed
      beforeUpdate: async (user, options) =&gt; {
        if (user.changed('password')) {
          try {
             const saltRounds = parseInt(process.env.PASSWORD_SALT_ROUNDS, 10);
             user.password = await bcrypt.hash(user.password, saltRounds);
          } catch (error) {
             logger.error('Error hashing password during beforeUpdate hook', error);
             throw error; // Prevent update if hashing fails
          }
        }
      }
    }
  });
  return User;
};

Step 3: Run the Migration

Apply the migration to create the Users table in your database:

bash
npm run db:migrate

Verify the table creation in your PostgreSQL database.

Step 4: Database Connection in index.js (Already Done)

We already modified src/index.js in Step 9 of Section 1 to connect the database before starting the server.

Step 5: Implement Auth Service (src/services/auth.service.js)

Create the service layer using the logger.

javascript
// src/services/auth.service.js
const { User } = require('../database/models');
const { Op } = require('sequelize');
const logger = require('../utils/logger');
const sinchService = require('./sinch.service'); // Assuming sinch.service.js exists or will be created
const { sequelize } = require('../database/models'); // For transactions
const { parsePhoneNumberFromString } = require('libphonenumber-js'); // For validation

class AuthService {
    async registerUser({ email, password, phoneNumber }) {
        try {
            // Input validation (basic checks, more specific validation in middleware)
            if (!email || !password || !phoneNumber) {
                throw new Error('Email, password, and phone number are required.');
            }

            // Validate and format phone number using libphonenumber-js
            const parsedNumber = parsePhoneNumberFromString(phoneNumber);
            if (!parsedNumber || !parsedNumber.isValid()) {
                const error = new Error('Invalid phone number format.');
                error.statusCode = 400;
                throw error;
            }
            const formattedPhoneNumber = parsedNumber.format('E.164'); // Store consistently

            // Check if user already exists (email or formatted phone number)
            const existingUser = await User.findOne({
                where: {
                    [Op.or]: [{ email }, { phoneNumber: formattedPhoneNumber }]
                }
            });

            if (existingUser) {
                const field = existingUser.email === email ? 'Email' : 'Phone number';
                const error = new Error(`${field} is already registered.`);
                error.statusCode = 409; // Conflict
                throw error;
            }

            // Create user (password hashing is handled by the model hook)
            const newUser = await User.create({ email, password, phoneNumber: formattedPhoneNumber });

            // Don't return sensitive info
            const userJson = newUser.toJSON();
            delete userJson.password;
            delete userJson.sinchVerificationId;
            delete userJson.otpSecret;

            logger.info(`User registered successfully: ${userJson.email} (ID: ${userJson.id})`);
            return userJson;

        } catch (error) {
            logger.error(`Error registering user ${email}:`, error);
            // Ensure statusCode is set if not already
            if (!error.statusCode) error.statusCode = 500;
            throw error; // Re-throw for the controller/error handler
        }
    }

    async loginUser({ email, password }) {
         try {
             const user = await User.findOne({ where: { email } });

             if (!user) {
                 const error = new Error('Invalid email or password.');
                 error.statusCode = 401; // Unauthorized
                 throw error;
             }

             const isPasswordValid = await user.isValidPassword(password);

             if (!isPasswordValid) {
                 const error = new Error('Invalid email or password.');
                 error.statusCode = 401;
                 throw error;
             }

             // Don't return sensitive info
             const userJson = user.toJSON();
             delete userJson.password;
             delete userJson.sinchVerificationId;
             delete userJson.otpSecret;

             logger.info(`User login successful (first factor): ${user.email} (ID: ${user.id})`);
             return userJson;

         } catch (error) {
             logger.error(`Error logging in user ${email}:`, error);
             if (!error.statusCode) error.statusCode = 500;
             throw error;
         }
    }

    // --- OTP related methods ---

    async requestOtpForUser(identifier) {
        const findCondition = identifier.email
                              ? { email: identifier.email }
                              : { phoneNumber: identifier.phoneNumber }; // Assumes E.164 format if phone is used

        const user = await User.findOne({ where: findCondition });

        if (!user) {
            const error = new Error('User not found.');
            error.statusCode = 404;
            throw error;
        }

        // Rate limiting per user (e.g., 1 request every 2 minutes)
        const now = new Date();
        const twoMinutesAgo = new Date(now.getTime() - 2 * 60 * 1000);
        if (user.lastOtpSentAt && user.lastOtpSentAt &gt; twoMinutesAgo) {
             const error = new Error('Please wait a moment before requesting another OTP.');
             error.statusCode = 429; // Too Many Requests
             throw error;
        }

        const verificationMethod = process.env.SINCH_VERIFICATION_METHOD || 'sms';

        const transaction = await sequelize.transaction();
        try {
            // Ensure sinchService and startVerification method exist
            if (!sinchService || typeof sinchService.startVerification !== 'function') {
                logger.error('Sinch service or startVerification method is not available.');
                throw new Error('Verification service is not configured correctly.');
            }

            const sinchResponse = await sinchService.startVerification(user.phoneNumber, verificationMethod);

            if (!sinchResponse || !sinchResponse.id) {
                // Log the actual response from Sinch if available
                logger.error('Failed to initiate Sinch verification.', { sinchResponse });
                throw new Error('Failed to initiate phone verification.');
            }

            // Store Sinch ID and timestamp
            await User.update(
                { sinchVerificationId: sinchResponse.id, lastOtpSentAt: new Date() },
                { where: { id: user.id }, transaction }
            );

            await transaction.commit();
            logger.info(`OTP request initiated for user ${user.id} via ${verificationMethod}. Sinch ID: ${sinchResponse.id}`);

             return {
                 message: `OTP sent successfully via ${verificationMethod} to ${user.phoneNumber}.`,
                 // verificationId: sinchResponse.id // Avoid sending this to client
             };

        } catch (error) {
            await transaction.rollback();
            logger.error(`Error requesting OTP for user ${user?.id}:`, error);
            // Propagate Sinch errors or DB errors
            if (!error.statusCode) error.statusCode = 500; // Ensure status code
            throw error;
        }
    }

    async verifyOtpForUser(identifier, otpCode) {
        const findCondition = identifier.email
                              ? { email: identifier.email }
                              : { phoneNumber: identifier.phoneNumber }; // Assumes E.164 format

        const user = await User.findOne({ where: findCondition });

        if (!user) {
            const error = new Error('User not found.');
            error.statusCode = 404;
            throw error;
        }

        const verificationMethod = process.env.SINCH_VERIFICATION_METHOD || 'sms';
        let sinchResponse;

        try {
            // Ensure sinchService and verification methods exist
            if (!sinchService || typeof sinchService.reportVerificationById !== 'function' || typeof sinchService.reportVerificationByNumber !== 'function') {
                 logger.error('Sinch service or verification reporting methods are not available.');
                 throw new Error('Verification service is not configured correctly.');
            }

            // Option 1: Verify using the stored ID (preferred if available and recent)
            // Check if ID exists and was generated reasonably recently (e.g., within 15 mins) to avoid using stale IDs
            const fifteenMinutesAgo = new Date(Date.now() - 15 * 60 * 1000);
            if (user.sinchVerificationId && user.lastOtpSentAt &gt; fifteenMinutesAgo) {
                logger.info(`Verifying OTP for user ${user.id} using Sinch ID: ${user.sinchVerificationId}`);
                sinchResponse = await sinchService.reportVerificationById(user.sinchVerificationId, otpCode, verificationMethod);
            } else {
                // Fallback or primary method: Verify using phone number
                logger.info(`Verifying OTP for user ${user.id} using Phone Number: ${user.phoneNumber}`);
                sinchResponse = await sinchService.reportVerificationByNumber(user.phoneNumber, otpCode, verificationMethod);
            }

            // Check Sinch response status
            if (sinchResponse && sinchResponse.status === 'SUCCESSFUL') {
                 const transaction = await sequelize.transaction();
                 try {
                    await User.update(
                        { isVerified: true, sinchVerificationId: null }, // Mark verified, clear ID
                        { where: { id: user.id }, transaction }
                    );
                    await transaction.commit();

                    logger.info(`User ${user.id} successfully verified phone number.`);
                    const updatedUser = await User.findByPk(user.id, {
                         attributes: { exclude: ['password', 'sinchVerificationId', 'otpSecret', 'lastOtpSentAt'] }
                    });
                    return updatedUser.toJSON();

                 } catch(dbError) {
                     await transaction.rollback();
                     logger.error(`Database error after successful Sinch verification for user ${user.id}:`, dbError);
                     // Throw a generic server error, as Sinch part succeeded but internal state update failed
                     const error = new Error('Verification check passed but failed to update account status.');
                     error.statusCode = 500;
                     throw error;
                 }

            } else {
                // Verification failed
                logger.warn(`OTP verification failed for user ${user.id}. Sinch Status: ${sinchResponse?.status}, Reason: ${sinchResponse?.reason}`);
                const error = new Error('Invalid or expired OTP code.');
                error.statusCode = 401; // Unauthorized or 400 Bad Request
                error.details = { sinchStatus: sinchResponse?.status, reason: sinchResponse?.reason };
                throw error;
            }
        } catch (error) {
             logger.error(`Error verifying OTP for user ${user?.id}:`, error);
             if (!error.statusCode) error.statusCode = 500;
             throw error; // Re-throw caught error (could be from Sinch, DB, or logic)
        }
    }

    // --- Helper methods ---
    async findUserByPhoneNumber(phoneNumber) {
        // Ensure consistent formatting if needed, though input should already be E.164
        return User.findOne({ where: { phoneNumber } });
    }

    async findUserById(userId) {
        return User.findByPk(userId);
    }

     async updateUserVerificationStatus(userId, isVerified) { // Not directly used above, but might be useful elsewhere
        await User.update({ isVerified }, { where: { id: userId } });
    }

     async clearUserSinchVerificationId(userId) { // Not directly used above
        await User.update({ sinchVerificationId: null }, { where: { id: userId } });
    }
}

module.exports = new AuthService();

Step 6: Implement Auth Controller (src/controllers/auth.controller.js)

Create the controller using the logger and service.

javascript
// src/controllers/auth.controller.js
const authService = require('../services/auth.service');
const logger = require('../utils/logger');

class AuthController {
    async register(req, res, next) {
        try {
            const { email, password, phoneNumber } = req.body;
            // Add input validation middleware before this controller runs
            const user = await authService.registerUser({ email, password, phoneNumber });
            res.status(201).json({ message: 'User registered successfully. Please verify your phone number.', userId: user.id });
        } catch (error) {
            next(error); // Pass error to the centralized handler
        }
    }

    async login(req, res, next) {
        try {
            const { email, password } = req.body;
            // Add input validation middleware
            const user = await authService.loginUser({ email, password });

            // If login is successful, but user is not yet verified via OTP
            if (!user.isVerified) {
                 // Initiate OTP process automatically after successful password login
                 try {
                     await authService.requestOtpForUser({ email: user.email }); // Request OTP using email
                     logger.info(`OTP requested automatically for unverified user ${user.email} after login.`);
                     // Respond indicating OTP is required
                     return res.status(200).json({
                         message: 'Login successful (first factor). OTP sent for verification.',
                         userId: user.id,
                         requiresOtp: true
                     });
                 } catch (otpError) {
                     logger.error(`Failed to automatically request OTP for ${user.email} after login:`, otpError);
                     // Proceed with login but indicate OTP step failed to initiate
                     return res.status(200).json({
                         message: 'Login successful (first factor). Failed to send OTP automatically. Please request manually.',
                         userId: user.id,
                         requiresOtp: true, // Still requires OTP, but needs manual request
                         otpError: otpError.message // Optionally provide reason
                     });
                 }
            } else {
                // User is already verified, grant access (e.g., issue JWT token - not implemented here)
                logger.info(`Verified user ${user.email} logged in successfully.`);
                // TODO: Implement session/token generation here
                return res.status(200).json({
                    message: 'Login successful.',
                    userId: user.id,
                    requiresOtp: false,
                    // token: 'your_jwt_token_here' // Example
                });
            }
        } catch (error) {
            next(error);
        }
    }

    async requestOtp(req, res, next) {
        try {
            // Expect identifier (email or phone) in body to find the user
            const { email, phoneNumber } = req.body;
            if (!email && !phoneNumber) {
                return res.status(400).json({ message: 'Email or phone number required to request OTP.' });
            }
            const identifier = email ? { email } : { phoneNumber }; // Add validation for phone format if used directly

            const result = await authService.requestOtpForUser(identifier);
            res.status(200).json(result);
        } catch (error) {
            next(error);
        }
    }

    async verifyOtp(req, res, next) {
        try {
            // Expect identifier (email or phone) and OTP code
            const { email, phoneNumber, otpCode } = req.body;
            if ((!email && !phoneNumber) || !otpCode) {
                return res.status(400).json({ message: 'Email or phone number, and OTP code are required.' });
            }
            const identifier = email ? { email } : { phoneNumber }; // Add validation

            const verifiedUser = await authService.verifyOtpForUser(identifier, otpCode);

            // OTP verification successful, grant access (e.g., issue JWT token)
            logger.info(`User ${verifiedUser.email} completed OTP verification.`);
            // TODO: Implement session/token generation here
            res.status(200).json({
                message: 'Phone number verified successfully. Access granted.',
                userId: verifiedUser.id,
                // token: 'your_jwt_token_here' // Example
            });

        } catch (error) {
            next(error);
        }
    }
}

module.exports = new AuthController();

Frequently Asked Questions

OTP-based 2FA is ideal when you need a strong, yet user-friendly second authentication factor. It's suitable for various applications, from securing online accounts to verifying financial transactions.

Yes, the example uses PostgreSQL with Sequelize, an ORM that supports other SQL databases as well. You can adapt the configuration to use MySQL, SQLite, MSSQL, and other compatible databases.

Implement OTP 2FA using Sinch's Verification API with Node.js and Express. This involves capturing user phone numbers during registration, sending OTPs via Sinch during login, and verifying the OTP before granting full access.

The Sinch Verification API is a service that simplifies the process of sending and verifying one-time passwords (OTPs). It supports delivery through both SMS and voice calls, managing international delivery and code generation complexities.

Two-factor authentication (2FA) improves login security by adding a 'possession factor' – something the user has (their phone). This makes it significantly harder for attackers to gain access even if they compromise a user's password.

Initialize a Node.js project, install required dependencies (Express, Sequelize, Sinch API client, bcrypt, etc.), create project directories (controllers, models, routes, services), and set environment variables.

bcrypt is used for securely hashing passwords before they are stored in the database. This protects sensitive user data even if the database is compromised.

Use the libphonenumber-js library to validate and format phone numbers during user registration. This ensures phone numbers are in a consistent, internationally recognized format.

The main problem solved is the vulnerability of relying solely on passwords, which can be easily guessed, phished, or leaked. 2FA adds a second layer of defense by requiring a code sent to the user's phone.

The project leverages Node.js, Express, Sinch Verification API, PostgreSQL, bcrypt, dotenv, express-validator, Helmet, express-rate-limit, axios, libphonenumber-js, and Pino.

Use express-rate-limit middleware to limit the number of login attempts from a single IP address within a time window. This helps prevent brute-force attacks.

The diagram visually represents the flow of requests and data during registration, login, and OTP verification. It shows how the user, the Node.js/Express backend, the database, and the Sinch API interact.

Tools like Postman or curl are recommended for sending test requests to the API endpoints. This lets you simulate registration, login, OTP requests, and verification scenarios.

You'll have a working backend API that registers users, securely logs them in with passwords and OTP verification via Sinch, and manages basic security measures.