rgutierrez/resq
1
0
Fork 0
Code Issues 126 Pull requests 49 Projects Releases 4 Packages Wiki Activity Actions

Add customer account validation and response spoofing to account deletion resend code method #746

Browse source
This commit is contained in:
Ramon Gutierrez 2023-08-14 05:22:26 +08:00
parent b3b81e4e27
commit 3137d39a9a
1 changed files with 31 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
src/Controller/CustomerAppAPI/AccountController.php
View file

@ -27,9 +27,6 @@ class AccountController extends ApiController
$phone_number = $req->request->get('phone_number'); $phone_number = $req->request->get('phone_number');
$reason = $req->request->get('reason'); $reason = $req->request->get('reason');
// get otp_mode from .env
$otp_mode = $_ENV['OTP_MODE'];
// use the test code if we're using a test number or are on test mode // use the test code if we're using a test number or are on test mode
$code = $this->getConfirmCode($phone_number); $code = $this->getConfirmCode($phone_number);
@ -39,9 +36,7 @@ class AccountController extends ApiController
$obj = new CustomerDeleteRequest(); $obj = new CustomerDeleteRequest();
// check if a customer record exists for this phone number // check if a customer record exists for this phone number
$cust_obj = $this->em->getRepository(Customer::class)->findOneBy([ $cust_obj = $this->findCustomerByNumber($phone_number);
'phone_mobile' => $phone_number,
]);
if (empty($cust_obj)) { if (empty($cust_obj)) {
// return a random id anyway if we don't find this customer // return a random id anyway if we don't find this customer
return new ApiResponse(true, $success_msg, [ return new ApiResponse(true, $success_msg, [
@ -55,7 +50,7 @@ class AccountController extends ApiController
$obj->setConfirmCode($code); $obj->setConfirmCode($code);
// send sms to number if not in test mode // send sms to number if not in test mode
if ($otp_mode != 'test') { if ($this->getOtpMode() != 'test') {
$this->sendConfirmationCode($rt, $phone_number, $code, $translator); $this->sendConfirmationCode($rt, $phone_number, $code, $translator);
} }
@ -98,9 +93,7 @@ class AccountController extends ApiController
} }
// check if a customer record exists for this phone number // check if a customer record exists for this phone number
$cust_obj = $this->em->getRepository(Customer::class)->findOneBy([ $cust_obj = $this->findCustomerByNumber($obj->getPhoneNumber());
'phone_mobile' => $obj->getPhoneNumber(),
]);
if (empty($cust_obj)) { if (empty($cust_obj)) {
return new ApiResponse(false, 'No account exists for this phone number.'); return new ApiResponse(false, 'No account exists for this phone number.');
} }
@ -112,7 +105,7 @@ class AccountController extends ApiController
$this->em->flush(); $this->em->flush();
// response // response
return new ApiResponse(); return new ApiResponse(true, 'Your request has been submitted for processing.');
} }
public function resendCode(Request $req, RisingTideGateway $rt, TranslatorInterface $translator) public function resendCode(Request $req, RisingTideGateway $rt, TranslatorInterface $translator)
@ -142,7 +135,16 @@ class AccountController extends ApiController
// prevent resend spamming // prevent resend spamming
if ($now - $obj->getDateCodeSent()->getTimestamp() < 300) { if ($now - $obj->getDateCodeSent()->getTimestamp() < 300) {
return new ApiResponse(false, 'Can only send confirm code every 5 mins.'); return new ApiResponse(false, 'You can only request a confirm code every 5 mins.');
}
$success_msg = 'We have re-sent a confirmation code to the submitted phone number if it is valid.';
// check if a customer record exists for this phone number
$cust_obj = $this->findCustomerByNumber($obj->getPhoneNumber());
if (empty($cust_obj)) {
// return successful without resending code if we don't find this customer
return new ApiResponse(true, $success_msg);
} }
// use the test code if we're using a test number or are on test mode // use the test code if we're using a test number or are on test mode
@ -150,7 +152,7 @@ class AccountController extends ApiController
$code = $this->getConfirmCode($phone_number); $code = $this->getConfirmCode($phone_number);
// send sms to number if not in test mode // send sms to number if not in test mode
if ($otp_mode != 'test') { if ($this->getOtpMode()!= 'test') {
$this->sendConfirmationCode($rt, $phone_number, $code, $translator); $this->sendConfirmationCode($rt, $phone_number, $code, $translator);
} }
@ -159,18 +161,15 @@ class AccountController extends ApiController
$this->em->flush(); $this->em->flush();
// response // response
return new ApiResponse(); return new ApiResponse(true, $success_msg);
} }
protected function getConfirmCode($phone_number) protected function getConfirmCode($phone_number)
{ {
// get otp_mode from .env
$otp_mode = $_ENV['OTP_MODE'];
// check for hardcoded phone number for app store testing // check for hardcoded phone number for app store testing
$test_numbers = explode(",", $_ENV['TEST_PHONE_NUMBERS']); $test_numbers = explode(",", $_ENV['TEST_PHONE_NUMBERS']);
if (in_array($phone_number, $test_numbers) || $otp_mode == 'test') { if (in_array($phone_number, $test_numbers) || $this->getOtpMode() == 'test') {
$code = "123456"; $code = "123456";
} else { } else {
// generate code // generate code
@ -191,4 +190,18 @@ class AccountController extends ApiController
$message = $translator->trans('message.confirmation_code') . ' ' . $code; $message = $translator->trans('message.confirmation_code') . ' ' . $code;
$rt->sendSMS($phone_number, $translator->trans('message.battery_brand_allcaps'), $message); $rt->sendSMS($phone_number, $translator->trans('message.battery_brand_allcaps'), $message);
} }
protected function findCustomerByNumber($number)
{
$cust_obj = $this->em->getRepository(Customer::class)->findOneBy([
'phone_mobile' => $number,
]);
return $cust_obj;
}
protected function getOtpMode()
{
return $_ENV['OTP_MODE'];
}
} }