mirrors/flexisip-account-manager
1
0
Fork 0
mirror of https://gitlab.linphone.org/BC/public/flexisip-account-manager.git synced 2026-01-17 10:08:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix FLEXIAPI-158 Restrict the phone number change API endpoint to return 403...

Browse source
This commit is contained in:
Timothée Jaussoin 2024-04-03 14:05:35 +00:00
parent c5f001e337
commit 3dc9f93216
7 changed files with 67 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -2,6 +2,7 @@
v1.5
----
- Fix FLEXIAPI-158 Restrict the phone number change API endpoint to return 403 if the account doesn't have a validated Account Creation Token
- Fix FLEXIAPI-156 Disable the Phone change web form when PHONE_AUTHENTICATION is disabled
- Fix FLEXIAPI-155 Add a new accountServiceAccountUpdatedHook and accountServiceAccountDeletedHook
- Fix FLEXIAPI-153 Add phone and email to be changed in the Activity panel

4
flexiapi/app/Http/Controllers/Api/Account/PhoneController.php
View file

@ -33,6 +33,10 @@ class PhoneController extends Controller
return abort(403, 'Account blocked');
}
if (!$request->user()->accountCreationToken?->consumed()) {
return abort(403, 'Account unvalidated');
}
return (new AccountService)->requestPhoneChange($request);
}

36
flexiapi/composer.lock generated
View file

@ -4525,16 +4525,16 @@
},
{
"name": "psy/psysh",
"version": "v0.12.2",
"version": "v0.12.3",
"source": {
"type": "git",
"url": "https://github.com/bobthecow/psysh.git",
"reference": "9185c66c2165bbf4d71de78a69dccf4974f9538d"
"reference": "b6b6cce7d3ee8fbf31843edce5e8f5a72eff4a73"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/bobthecow/psysh/zipball/9185c66c2165bbf4d71de78a69dccf4974f9538d",
"reference": "9185c66c2165bbf4d71de78a69dccf4974f9538d",
"url": "https://api.github.com/repos/bobthecow/psysh/zipball/b6b6cce7d3ee8fbf31843edce5e8f5a72eff4a73",
"reference": "b6b6cce7d3ee8fbf31843edce5e8f5a72eff4a73",
"shasum": ""
},
"require": {
@ -4598,9 +4598,9 @@
],
"support": {
"issues": "https://github.com/bobthecow/psysh/issues",
"source": "https://github.com/bobthecow/psysh/tree/v0.12.2"
"source": "https://github.com/bobthecow/psysh/tree/v0.12.3"
},
"time": "2024-03-17T01:53:00+00:00"
"time": "2024-04-02T15:57:53+00:00"
},
{
"name": "ralouphie/getallheaders",
@ -9014,16 +9014,16 @@
"packages-dev": [
{
"name": "barryvdh/laravel-debugbar",
"version": "v3.13.0",
"version": "v3.13.1",
"source": {
"type": "git",
"url": "https://github.com/barryvdh/laravel-debugbar.git",
"reference": "354a42f3e0b083cdd6f9da5a9d1c0c63b074547a"
"reference": "2f046cb8e0650d1d08b635c90e15c84d09c6288d"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/barryvdh/laravel-debugbar/zipball/354a42f3e0b083cdd6f9da5a9d1c0c63b074547a",
"reference": "354a42f3e0b083cdd6f9da5a9d1c0c63b074547a",
"url": "https://api.github.com/repos/barryvdh/laravel-debugbar/zipball/2f046cb8e0650d1d08b635c90e15c84d09c6288d",
"reference": "2f046cb8e0650d1d08b635c90e15c84d09c6288d",
"shasum": ""
},
"require": {
@ -9082,7 +9082,7 @@
],
"support": {
"issues": "https://github.com/barryvdh/laravel-debugbar/issues",
"source": "https://github.com/barryvdh/laravel-debugbar/tree/v3.13.0"
"source": "https://github.com/barryvdh/laravel-debugbar/tree/v3.13.1"
},
"funding": [
{
@ -9094,7 +9094,7 @@
"type": "github"
}
],
"time": "2024-04-01T16:39:30+00:00"
"time": "2024-04-03T11:41:11+00:00"
},
{
"name": "composer/pcre",
@ -9357,16 +9357,16 @@
},
{
"name": "maximebf/debugbar",
"version": "v1.22.1",
"version": "v1.22.2",
"source": {
"type": "git",
"url": "https://github.com/maximebf/php-debugbar.git",
"reference": "d7b6e1dc2dc85c01ed63ab158b00a7f46abdebcc"
"reference": "424be4f885f278edddf4ffa2e3dd41dc04279096"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/maximebf/php-debugbar/zipball/d7b6e1dc2dc85c01ed63ab158b00a7f46abdebcc",
"reference": "d7b6e1dc2dc85c01ed63ab158b00a7f46abdebcc",
"url": "https://api.github.com/repos/maximebf/php-debugbar/zipball/424be4f885f278edddf4ffa2e3dd41dc04279096",
"reference": "424be4f885f278edddf4ffa2e3dd41dc04279096",
"shasum": ""
},
"require": {
@ -9419,9 +9419,9 @@
],
"support": {
"issues": "https://github.com/maximebf/php-debugbar/issues",
"source": "https://github.com/maximebf/php-debugbar/tree/v1.22.1"
"source": "https://github.com/maximebf/php-debugbar/tree/v1.22.2"
},
"time": "2024-04-01T10:44:20+00:00"
"time": "2024-04-03T11:46:22+00:00"
},
{
"name": "mockery/mockery",

12
flexiapi/database/factories/AccountFactory.php
View file

@ -24,6 +24,7 @@ use Illuminate\Database\Eloquent\Factories\Factory;
use Awobaz\Compoships\Database\Eloquent\Factories\ComposhipsFactory;
use App\Account;
use App\AccountCreationToken;
use App\Http\Controllers\Account\AuthenticateController as WebAuthenticateController;
class AccountFactory extends Factory
@ -54,4 +55,15 @@ class AccountFactory extends Factory
'admin' => true,
]);
}
public function withConsumedAccountCreationToken()
{
return $this->state(fn (array $attributes) => [])->afterCreating(function (Account $account) {
$accountCreationToken = new AccountCreationToken;
$accountCreationToken->token = 'test_token';
$accountCreationToken->account_id = $account->id;
$accountCreationToken->used = true;
$accountCreationToken->save();
});
}
}

6
flexiapi/resources/views/api/documentation_markdown.blade.php
View file

@ -102,7 +102,7 @@ Create and return an `account_creation_request_token` that should then be valida
## Account Creation Tokens
An `account_creation_token` is a unique token that allow the creation of a **unique** account.
An `account_creation_token` is a unique token that allow the creation or the validation of a unique account.
### `POST /account_creation_tokens/send-by-push`
<span class="badge badge-success">Public</span>
@ -390,7 +390,9 @@ JSON parameters:
### `POST /accounts/me/phone/request`
<span class="badge badge-info">User</span>
Request a specific code by SMS
Request a specific code by SMS.
Will return `403` if the account doesn't have a validated <a href='#account-creation-tokens'>Account Creation Token</a> attached to it.
JSON parameters:

23
flexiapi/tests/Feature/AccountBlockingTest.php
View file

@ -20,7 +20,6 @@
namespace Tests\Feature;
use App\Account;
use App\Password;
use Tests\TestCase;
class AccountBlockingTest extends TestCase
@ -30,17 +29,17 @@ class AccountBlockingTest extends TestCase
public function testBlocking()
{
$password = Password::factory()->create();
$password->account->generateApiKey();
$account = Account::factory()->withConsumedAccountCreationToken()->create();
$account->generateApiKey();
config()->set('app.blocking_amount_events_authorized_during_period', 2);
$this->keyAuthenticated($password->account)
$this->keyAuthenticated($account)
->json($this->method, $this->route . '/me/phone/request', [
'phone' => '+331234'
])->assertStatus(200);
$this->keyAuthenticated($password->account)
$this->keyAuthenticated($account)
->json($this->method, $this->route . '/me/email/request', [
'email' => 'foo@bar.com'
])->assertStatus(403);
@ -48,27 +47,27 @@ class AccountBlockingTest extends TestCase
public function testAdminBlocking()
{
$password = Password::factory()->create();
$password->account->generateApiKey();
$account = Account::factory()->create();
$account->generateApiKey();
$admin = Account::factory()->admin()->create();
$admin->generateApiKey();
$this->keyAuthenticated($password->account)
$this->keyAuthenticated($account)
->get($this->route . '/me')->assertStatus(200);
$this->keyAuthenticated($admin)
->json($this->method, $this->route . '/' . $password->account->id .'/block')
->json($this->method, $this->route . '/' . $account->id .'/block')
->assertStatus(200);
$this->keyAuthenticated($password->account)
$this->keyAuthenticated($account)
->get($this->route . '/me')->assertStatus(403);
$this->keyAuthenticated($admin)
->json($this->method, $this->route . '/' . $password->account->id .'/unblock')
->json($this->method, $this->route . '/' . $account->id .'/unblock')
->assertStatus(200);
$this->keyAuthenticated($password->account)
$this->keyAuthenticated($account)
->get($this->route . '/me')->assertStatus(200);
}
}

22
flexiapi/tests/Feature/ApiAccountPhoneChangeTest.php
View file

@ -19,7 +19,7 @@
namespace Tests\Feature;
use App\Password;
use App\Account;
use App\PhoneChangeCode;
use Tests\TestCase;
@ -30,23 +30,35 @@ class ApiAccountPhoneChangeTest extends TestCase
public function testRequest()
{
$password = Password::factory()->create();
$password->account->generateApiKey();
$account = Account::factory()->withConsumedAccountCreationToken()->create();
$account->generateApiKey();
$this->keyAuthenticated($password->account)
$this->keyAuthenticated($account)
->json($this->method, $this->route.'/request', [
'phone' => 'blabla'
])
->assertStatus(422);
// Send a SMS
/*$this->keyAuthenticated($password->account)
/*$this->keyAuthenticated($account)
->json($this->method, $this->route.'/request', [
'phone' => '+3312345678'
])
->assertStatus(200);*/
}
public function testUnvalidatedAccount()
{
$account = Account::factory()->create();
$account->generateApiKey();
$this->keyAuthenticated($account)
->json($this->method, $this->route.'/request', [
'phone' => 'blabla'
])
->assertStatus(403);
}
public function testConfirmLongCode()
{
$phoneChange = PhoneChangeCode::factory()->create();