Bug Description

In internal/utils/generate_otp.go, OTPs are generated using math/rand seeded with time.Now().UnixNano(). This is not cryptographically secure and the seed is re-initialized on every call, meaning concurrent calls at the same nanosecond produce identical OTPs.

Impact

HIGH — OTPs are predictable. An attacker who knows the approximate time of OTP generation can guess the OTP.

Fix

Replace math/rand with crypto/rand for cryptographically secure OTP generation.