The premium add-on uses a one-time password system to verify guest email ownership before exposing alert records. The OTP table (hb_stock_alert_email_verify) and its seed data are created by the main extension install flow — the add-on relies on this setup and does not recreate it at runtime.
OTP behavior at a glance
- 6-digit numeric code
- Hashed storage, not plaintext
- One active row per email
- 15-minute expiry window
- 60-second resend cooldown
- Max 5 sends per email per hour
- Max 10 sends per IP per hour
- OTP row deleted on success
- Expired rows cleaned up after 3 days
Session behavior after verification
Once a guest email is verified, it is stored in the browser session under the hb_stock_alert_verified_emails key as an associative array with the normalized email as key and the verification timestamp as value. Verified guest alert sections are built from this session map on each page load. Session state does not persist between browser sessions.
OTP email template
The OTP email is sent through the main extension template system. The template is selected from Settings → Email Setting → OTP Email Verification Template and can be assigned per language. If no custom template is assigned, the system falls back to the seeded OTP template whose label starts with Email Verification OTP.