Hum Rahi

Role: Back-End User Story Story: As a System Administrator, I want to limit the number of failed OTP attempts to 5, so that the system is protected against unauthorized access attempts.

• In-Scope: * Incrementing a failure counter in the cache per mobile number.
  • Blocking requests after the threshold is met.
• Out-of-Scope: Front-end "Locked" UI (covered in HR-FE-02).
• Acceptance Criteria (AC):
  • AC1: After 5 failed attempts, the mobile number is "Locked" for 30 minutes.
  • AC2: Any verification attempt during lockout returns a 429 Too Many Requests status.
• Validation Rules: Threshold: 5 fails; Lock duration: 30 mins.
• Error Messages: "Account locked due to too many failed attempts. Try again in 30 minutes."
• Definition of Done (DoD): Integration test confirms 6th attempt is blocked even if the OTP is technically "correct".