diff --git a/CHANGELOG.md b/CHANGELOG.md
index 239cf35..57571e1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
v1.5
----
+- Fix FLEXIAPI-158 Restrict the phone number change API endpoint to return 403 if the account doesn't have a validated Account Creation Token
- Fix FLEXIAPI-156 Disable the Phone change web form when PHONE_AUTHENTICATION is disabled
- Fix FLEXIAPI-155 Add a new accountServiceAccountUpdatedHook and accountServiceAccountDeletedHook
- Fix FLEXIAPI-153 Add phone and email to be changed in the Activity panel
diff --git a/flexiapi/app/Http/Controllers/Api/Account/PhoneController.php b/flexiapi/app/Http/Controllers/Api/Account/PhoneController.php
index e0bd025..924ee36 100644
--- a/flexiapi/app/Http/Controllers/Api/Account/PhoneController.php
+++ b/flexiapi/app/Http/Controllers/Api/Account/PhoneController.php
@@ -33,6 +33,10 @@ class PhoneController extends Controller
return abort(403, 'Account blocked');
}
+ if (!$request->user()->accountCreationToken?->consumed()) {
+ return abort(403, 'Account unvalidated');
+ }
+
return (new AccountService)->requestPhoneChange($request);
}
diff --git a/flexiapi/composer.lock b/flexiapi/composer.lock
index f474f39..e3243ae 100644
--- a/flexiapi/composer.lock
+++ b/flexiapi/composer.lock
@@ -4525,16 +4525,16 @@
},
{
"name": "psy/psysh",
- "version": "v0.12.2",
+ "version": "v0.12.3",
"source": {
"type": "git",
"url": "https://github.com/bobthecow/psysh.git",
- "reference": "9185c66c2165bbf4d71de78a69dccf4974f9538d"
+ "reference": "b6b6cce7d3ee8fbf31843edce5e8f5a72eff4a73"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/bobthecow/psysh/zipball/9185c66c2165bbf4d71de78a69dccf4974f9538d",
- "reference": "9185c66c2165bbf4d71de78a69dccf4974f9538d",
+ "url": "https://api.github.com/repos/bobthecow/psysh/zipball/b6b6cce7d3ee8fbf31843edce5e8f5a72eff4a73",
+ "reference": "b6b6cce7d3ee8fbf31843edce5e8f5a72eff4a73",
"shasum": ""
},
"require": {
@@ -4598,9 +4598,9 @@
],
"support": {
"issues": "https://github.com/bobthecow/psysh/issues",
- "source": "https://github.com/bobthecow/psysh/tree/v0.12.2"
+ "source": "https://github.com/bobthecow/psysh/tree/v0.12.3"
},
- "time": "2024-03-17T01:53:00+00:00"
+ "time": "2024-04-02T15:57:53+00:00"
},
{
"name": "ralouphie/getallheaders",
@@ -9014,16 +9014,16 @@
"packages-dev": [
{
"name": "barryvdh/laravel-debugbar",
- "version": "v3.13.0",
+ "version": "v3.13.1",
"source": {
"type": "git",
"url": "https://github.com/barryvdh/laravel-debugbar.git",
- "reference": "354a42f3e0b083cdd6f9da5a9d1c0c63b074547a"
+ "reference": "2f046cb8e0650d1d08b635c90e15c84d09c6288d"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/barryvdh/laravel-debugbar/zipball/354a42f3e0b083cdd6f9da5a9d1c0c63b074547a",
- "reference": "354a42f3e0b083cdd6f9da5a9d1c0c63b074547a",
+ "url": "https://api.github.com/repos/barryvdh/laravel-debugbar/zipball/2f046cb8e0650d1d08b635c90e15c84d09c6288d",
+ "reference": "2f046cb8e0650d1d08b635c90e15c84d09c6288d",
"shasum": ""
},
"require": {
@@ -9082,7 +9082,7 @@
],
"support": {
"issues": "https://github.com/barryvdh/laravel-debugbar/issues",
- "source": "https://github.com/barryvdh/laravel-debugbar/tree/v3.13.0"
+ "source": "https://github.com/barryvdh/laravel-debugbar/tree/v3.13.1"
},
"funding": [
{
@@ -9094,7 +9094,7 @@
"type": "github"
}
],
- "time": "2024-04-01T16:39:30+00:00"
+ "time": "2024-04-03T11:41:11+00:00"
},
{
"name": "composer/pcre",
@@ -9357,16 +9357,16 @@
},
{
"name": "maximebf/debugbar",
- "version": "v1.22.1",
+ "version": "v1.22.2",
"source": {
"type": "git",
"url": "https://github.com/maximebf/php-debugbar.git",
- "reference": "d7b6e1dc2dc85c01ed63ab158b00a7f46abdebcc"
+ "reference": "424be4f885f278edddf4ffa2e3dd41dc04279096"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/maximebf/php-debugbar/zipball/d7b6e1dc2dc85c01ed63ab158b00a7f46abdebcc",
- "reference": "d7b6e1dc2dc85c01ed63ab158b00a7f46abdebcc",
+ "url": "https://api.github.com/repos/maximebf/php-debugbar/zipball/424be4f885f278edddf4ffa2e3dd41dc04279096",
+ "reference": "424be4f885f278edddf4ffa2e3dd41dc04279096",
"shasum": ""
},
"require": {
@@ -9419,9 +9419,9 @@
],
"support": {
"issues": "https://github.com/maximebf/php-debugbar/issues",
- "source": "https://github.com/maximebf/php-debugbar/tree/v1.22.1"
+ "source": "https://github.com/maximebf/php-debugbar/tree/v1.22.2"
},
- "time": "2024-04-01T10:44:20+00:00"
+ "time": "2024-04-03T11:46:22+00:00"
},
{
"name": "mockery/mockery",
diff --git a/flexiapi/database/factories/AccountFactory.php b/flexiapi/database/factories/AccountFactory.php
index e60e3cf..1bf0ad1 100644
--- a/flexiapi/database/factories/AccountFactory.php
+++ b/flexiapi/database/factories/AccountFactory.php
@@ -24,6 +24,7 @@ use Illuminate\Database\Eloquent\Factories\Factory;
use Awobaz\Compoships\Database\Eloquent\Factories\ComposhipsFactory;
use App\Account;
+use App\AccountCreationToken;
use App\Http\Controllers\Account\AuthenticateController as WebAuthenticateController;
class AccountFactory extends Factory
@@ -54,4 +55,15 @@ class AccountFactory extends Factory
'admin' => true,
]);
}
+
+ public function withConsumedAccountCreationToken()
+ {
+ return $this->state(fn (array $attributes) => [])->afterCreating(function (Account $account) {
+ $accountCreationToken = new AccountCreationToken;
+ $accountCreationToken->token = 'test_token';
+ $accountCreationToken->account_id = $account->id;
+ $accountCreationToken->used = true;
+ $accountCreationToken->save();
+ });
+ }
}
diff --git a/flexiapi/resources/views/api/documentation_markdown.blade.php b/flexiapi/resources/views/api/documentation_markdown.blade.php
index 97997c6..f1a8973 100644
--- a/flexiapi/resources/views/api/documentation_markdown.blade.php
+++ b/flexiapi/resources/views/api/documentation_markdown.blade.php
@@ -102,7 +102,7 @@ Create and return an `account_creation_request_token` that should then be valida
## Account Creation Tokens
-An `account_creation_token` is a unique token that allow the creation of a **unique** account.
+An `account_creation_token` is a unique token that allow the creation or the validation of a unique account.
### `POST /account_creation_tokens/send-by-push`
Public
@@ -390,7 +390,9 @@ JSON parameters:
### `POST /accounts/me/phone/request`
User
-Request a specific code by SMS
+Request a specific code by SMS.
+
+Will return `403` if the account doesn't have a validated Account Creation Token attached to it.
JSON parameters:
diff --git a/flexiapi/tests/Feature/AccountBlockingTest.php b/flexiapi/tests/Feature/AccountBlockingTest.php
index bae6008..3bcf854 100644
--- a/flexiapi/tests/Feature/AccountBlockingTest.php
+++ b/flexiapi/tests/Feature/AccountBlockingTest.php
@@ -20,7 +20,6 @@
namespace Tests\Feature;
use App\Account;
-use App\Password;
use Tests\TestCase;
class AccountBlockingTest extends TestCase
@@ -30,17 +29,17 @@ class AccountBlockingTest extends TestCase
public function testBlocking()
{
- $password = Password::factory()->create();
- $password->account->generateApiKey();
+ $account = Account::factory()->withConsumedAccountCreationToken()->create();
+ $account->generateApiKey();
config()->set('app.blocking_amount_events_authorized_during_period', 2);
- $this->keyAuthenticated($password->account)
+ $this->keyAuthenticated($account)
->json($this->method, $this->route . '/me/phone/request', [
'phone' => '+331234'
])->assertStatus(200);
- $this->keyAuthenticated($password->account)
+ $this->keyAuthenticated($account)
->json($this->method, $this->route . '/me/email/request', [
'email' => 'foo@bar.com'
])->assertStatus(403);
@@ -48,27 +47,27 @@ class AccountBlockingTest extends TestCase
public function testAdminBlocking()
{
- $password = Password::factory()->create();
- $password->account->generateApiKey();
+ $account = Account::factory()->create();
+ $account->generateApiKey();
$admin = Account::factory()->admin()->create();
$admin->generateApiKey();
- $this->keyAuthenticated($password->account)
+ $this->keyAuthenticated($account)
->get($this->route . '/me')->assertStatus(200);
$this->keyAuthenticated($admin)
- ->json($this->method, $this->route . '/' . $password->account->id .'/block')
+ ->json($this->method, $this->route . '/' . $account->id .'/block')
->assertStatus(200);
- $this->keyAuthenticated($password->account)
+ $this->keyAuthenticated($account)
->get($this->route . '/me')->assertStatus(403);
$this->keyAuthenticated($admin)
- ->json($this->method, $this->route . '/' . $password->account->id .'/unblock')
+ ->json($this->method, $this->route . '/' . $account->id .'/unblock')
->assertStatus(200);
- $this->keyAuthenticated($password->account)
+ $this->keyAuthenticated($account)
->get($this->route . '/me')->assertStatus(200);
}
}
diff --git a/flexiapi/tests/Feature/ApiAccountPhoneChangeTest.php b/flexiapi/tests/Feature/ApiAccountPhoneChangeTest.php
index c61eebf..e126c3f 100644
--- a/flexiapi/tests/Feature/ApiAccountPhoneChangeTest.php
+++ b/flexiapi/tests/Feature/ApiAccountPhoneChangeTest.php
@@ -19,7 +19,7 @@
namespace Tests\Feature;
-use App\Password;
+use App\Account;
use App\PhoneChangeCode;
use Tests\TestCase;
@@ -30,23 +30,35 @@ class ApiAccountPhoneChangeTest extends TestCase
public function testRequest()
{
- $password = Password::factory()->create();
- $password->account->generateApiKey();
+ $account = Account::factory()->withConsumedAccountCreationToken()->create();
+ $account->generateApiKey();
- $this->keyAuthenticated($password->account)
+ $this->keyAuthenticated($account)
->json($this->method, $this->route.'/request', [
'phone' => 'blabla'
])
->assertStatus(422);
// Send a SMS
- /*$this->keyAuthenticated($password->account)
+ /*$this->keyAuthenticated($account)
->json($this->method, $this->route.'/request', [
'phone' => '+3312345678'
])
->assertStatus(200);*/
}
+ public function testUnvalidatedAccount()
+ {
+ $account = Account::factory()->create();
+ $account->generateApiKey();
+
+ $this->keyAuthenticated($account)
+ ->json($this->method, $this->route.'/request', [
+ 'phone' => 'blabla'
+ ])
+ ->assertStatus(403);
+ }
+
public function testConfirmLongCode()
{
$phoneChange = PhoneChangeCode::factory()->create();