Add customer account validation and response spoofing to account deletion resend code method #746

2023-08-14 05:22:26 +08:00 · 2023-08-14 05:22:26 +08:00 · 3137d39a9a
commit 3137d39a9a
parent b3b81e4e27
1 changed files with 31 additions and 18 deletions
--- a/src/Controller/CustomerAppAPI/AccountController.php
+++ b/src/Controller/CustomerAppAPI/AccountController.php
@ -27,9 +27,6 @@ class AccountController extends ApiController
        $phone_number = $req->request->get('phone_number');
        $reason = $req->request->get('reason');

-        // get otp_mode from .env
-        $otp_mode = $_ENV['OTP_MODE'];
-
        // use the test code if we're using a test number or are on test mode
        $code = $this->getConfirmCode($phone_number);

@ -39,9 +36,7 @@ class AccountController extends ApiController
        $obj = new CustomerDeleteRequest();

        // check if a customer record exists for this phone number
-        $cust_obj = $this->em->getRepository(Customer::class)->findOneBy([
-            'phone_mobile' => $phone_number,
-        ]);
+        $cust_obj = $this->findCustomerByNumber($phone_number);
        if (empty($cust_obj)) {
            // return a random id anyway if we don't find this customer
            return new ApiResponse(true, $success_msg, [
@ -55,7 +50,7 @@ class AccountController extends ApiController
        $obj->setConfirmCode($code);

        // send sms to number if not in test mode
-        if ($otp_mode != 'test') {
+        if ($this->getOtpMode() != 'test') {
            $this->sendConfirmationCode($rt, $phone_number, $code, $translator);
        }

@ -98,9 +93,7 @@ class AccountController extends ApiController
        }

        // check if a customer record exists for this phone number
-        $cust_obj = $this->em->getRepository(Customer::class)->findOneBy([
-            'phone_mobile' => $obj->getPhoneNumber(),
-        ]);
+        $cust_obj = $this->findCustomerByNumber($obj->getPhoneNumber());
        if (empty($cust_obj)) {
            return new ApiResponse(false, 'No account exists for this phone number.');
        }
@ -112,7 +105,7 @@ class AccountController extends ApiController
        $this->em->flush();

        // response
-        return new ApiResponse();
+        return new ApiResponse(true, 'Your request has been submitted for processing.');
    }

    public function resendCode(Request $req, RisingTideGateway $rt, TranslatorInterface $translator)
@ -142,7 +135,16 @@ class AccountController extends ApiController

        // prevent resend spamming
        if ($now - $obj->getDateCodeSent()->getTimestamp() < 300) {
-            return new ApiResponse(false, 'Can only send confirm code every 5 mins.');
+            return new ApiResponse(false, 'You can only request a confirm code every 5 mins.');
+        }
+
+        $success_msg = 'We have re-sent a confirmation code to the submitted phone number if it is valid.';
+
+        // check if a customer record exists for this phone number
+        $cust_obj = $this->findCustomerByNumber($obj->getPhoneNumber());
+        if (empty($cust_obj)) {
+            // return successful without resending code if we don't find this customer
+            return new ApiResponse(true, $success_msg);
        }

        // use the test code if we're using a test number or are on test mode
@ -150,7 +152,7 @@ class AccountController extends ApiController
        $code = $this->getConfirmCode($phone_number);

        // send sms to number if not in test mode
-        if ($otp_mode != 'test') {
+        if ($this->getOtpMode()!= 'test') {
            $this->sendConfirmationCode($rt, $phone_number, $code, $translator);
        }

@ -159,18 +161,15 @@ class AccountController extends ApiController
        $this->em->flush();

        // response
-        return new ApiResponse();
+        return new ApiResponse(true, $success_msg);
    }

    protected function getConfirmCode($phone_number)
    {
-        // get otp_mode from .env
-        $otp_mode = $_ENV['OTP_MODE'];
-
        // check for hardcoded phone number for app store testing
        $test_numbers = explode(",", $_ENV['TEST_PHONE_NUMBERS']);

-        if (in_array($phone_number, $test_numbers) || $otp_mode == 'test') {
+        if (in_array($phone_number, $test_numbers) || $this->getOtpMode() == 'test') {
            $code = "123456";
        } else {
            // generate code
@ -191,4 +190,18 @@ class AccountController extends ApiController
        $message = $translator->trans('message.confirmation_code') .  ' ' . $code;
        $rt->sendSMS($phone_number, $translator->trans('message.battery_brand_allcaps'), $message);
    }
+
+    protected function findCustomerByNumber($number)
+    {
+        $cust_obj = $this->em->getRepository(Customer::class)->findOneBy([
+            'phone_mobile' => $number,
+        ]);
+
+        return $cust_obj;
+    }
+
+    protected function getOtpMode()
+    {
+        return $_ENV['OTP_MODE'];
+    }
 }