From 3137d39a9a1eb267f67852b5bb8cbca0ef586d21 Mon Sep 17 00:00:00 2001
From: Ramon Gutierrez <arcticzero@gmail.com>
Date: Mon, 14 Aug 2023 05:22:26 +0800
Subject: [PATCH] Add customer account validation and response spoofing to
 account deletion resend code method #746

---
 .../CustomerAppAPI/AccountController.php      | 49 ++++++++++++-------
 1 file changed, 31 insertions(+), 18 deletions(-)

diff --git a/src/Controller/CustomerAppAPI/AccountController.php b/src/Controller/CustomerAppAPI/AccountController.php
index 99a77e69..56961e48 100644
--- a/src/Controller/CustomerAppAPI/AccountController.php
+++ b/src/Controller/CustomerAppAPI/AccountController.php
@@ -27,9 +27,6 @@ class AccountController extends ApiController
         $phone_number = $req->request->get('phone_number');
         $reason = $req->request->get('reason');
 
-        // get otp_mode from .env
-        $otp_mode = $_ENV['OTP_MODE'];
-
         // use the test code if we're using a test number or are on test mode
         $code = $this->getConfirmCode($phone_number);
 
@@ -39,9 +36,7 @@ class AccountController extends ApiController
         $obj = new CustomerDeleteRequest();
 
         // check if a customer record exists for this phone number
-        $cust_obj = $this->em->getRepository(Customer::class)->findOneBy([
-            'phone_mobile' => $phone_number,
-        ]);
+        $cust_obj = $this->findCustomerByNumber($phone_number);
         if (empty($cust_obj)) {
             // return a random id anyway if we don't find this customer
             return new ApiResponse(true, $success_msg, [
@@ -55,7 +50,7 @@ class AccountController extends ApiController
         $obj->setConfirmCode($code);
 
         // send sms to number if not in test mode
-        if ($otp_mode != 'test') {
+        if ($this->getOtpMode() != 'test') {
             $this->sendConfirmationCode($rt, $phone_number, $code, $translator);
         }
 
@@ -98,9 +93,7 @@ class AccountController extends ApiController
         }
 
         // check if a customer record exists for this phone number
-        $cust_obj = $this->em->getRepository(Customer::class)->findOneBy([
-            'phone_mobile' => $obj->getPhoneNumber(),
-        ]);
+        $cust_obj = $this->findCustomerByNumber($obj->getPhoneNumber());
         if (empty($cust_obj)) {
             return new ApiResponse(false, 'No account exists for this phone number.');
         }
@@ -112,7 +105,7 @@ class AccountController extends ApiController
         $this->em->flush();
 
         // response
-        return new ApiResponse();
+        return new ApiResponse(true, 'Your request has been submitted for processing.');
     }
 
     public function resendCode(Request $req, RisingTideGateway $rt, TranslatorInterface $translator)
@@ -142,7 +135,16 @@ class AccountController extends ApiController
 
         // prevent resend spamming
         if ($now - $obj->getDateCodeSent()->getTimestamp() < 300) {
-            return new ApiResponse(false, 'Can only send confirm code every 5 mins.');
+            return new ApiResponse(false, 'You can only request a confirm code every 5 mins.');
+        }
+
+        $success_msg = 'We have re-sent a confirmation code to the submitted phone number if it is valid.';
+
+        // check if a customer record exists for this phone number
+        $cust_obj = $this->findCustomerByNumber($obj->getPhoneNumber());
+        if (empty($cust_obj)) {
+            // return successful without resending code if we don't find this customer
+            return new ApiResponse(true, $success_msg);
         }
 
         // use the test code if we're using a test number or are on test mode
@@ -150,7 +152,7 @@ class AccountController extends ApiController
         $code = $this->getConfirmCode($phone_number);
 
         // send sms to number if not in test mode
-        if ($otp_mode != 'test') {
+        if ($this->getOtpMode()!= 'test') {
             $this->sendConfirmationCode($rt, $phone_number, $code, $translator);
         }
 
@@ -159,18 +161,15 @@ class AccountController extends ApiController
         $this->em->flush();
 
         // response
-        return new ApiResponse();
+        return new ApiResponse(true, $success_msg);
     }
 
     protected function getConfirmCode($phone_number)
     {
-        // get otp_mode from .env
-        $otp_mode = $_ENV['OTP_MODE'];
-
         // check for hardcoded phone number for app store testing
         $test_numbers = explode(",", $_ENV['TEST_PHONE_NUMBERS']);
 
-        if (in_array($phone_number, $test_numbers) || $otp_mode == 'test') {
+        if (in_array($phone_number, $test_numbers) || $this->getOtpMode() == 'test') {
             $code = "123456";
         } else {
             // generate code
@@ -191,4 +190,18 @@ class AccountController extends ApiController
         $message = $translator->trans('message.confirmation_code') .  ' ' . $code;
         $rt->sendSMS($phone_number, $translator->trans('message.battery_brand_allcaps'), $message);
     }
+
+    protected function findCustomerByNumber($number)
+    {
+        $cust_obj = $this->em->getRepository(Customer::class)->findOneBy([
+            'phone_mobile' => $number,
+        ]);
+
+        return $cust_obj;
+    }
+
+    protected function getOtpMode()
+    {
+        return $_ENV['OTP_MODE'];
+    }
 }