Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRITICAL bug in your verify api #122

Open
huckym opened this issue May 29, 2023 · 8 comments
Open

CRITICAL bug in your verify api #122

huckym opened this issue May 29, 2023 · 8 comments

Comments

@huckym
Copy link

huckym commented May 29, 2023

Your api is validating an empty string as valid:

{
  verificationId: '4d1e1f430aeb4b6b9f3c51e3b92ad541',
  code: '',
  err: null,
  response: {
    id: '4d1e1f430aeb4b6b9f3c51e3b92ad541',
    href: 'https://rest.messagebird.com/verify/4d1e1f430aeb4b6b9f3c51e3b92ad541',
    recipient: <masked>,
    originator: <masked>,
    type: 'email',
    reference: null,
    messages: {
      href: 'https://rest.messagebird.com/verify/messages/email/5daf351594d440e2be63f80f9f9afe73',
      id: '5daf351594d440e2be63f80f9f9afe73'
    },
    status: 'sent',
    createdDatetime: '2023-05-29T10:43:48+00:00',
    validUntilDatetime: '2023-05-29T10:58:48+00:00'
  }
}
@huckym
Copy link
Author

huckym commented May 29, 2023

using the latest client 4.0.1

@dennisvdvliet
Copy link

@huckym Thanks for opening this issue.

Could you share steps to reproduce this? I have a bit of a hard time understanding what you did based on just this snippet of JSON.

@huckym
Copy link
Author

huckym commented Jun 2, 2023

Let me clarify. We use your node-js client but not sure if it is related to just this client but the underlying api.
Passing an empty string to your verify api should've returned a non-null err in the callback but instead returning a null err and valid response.

client.verify.verify(verificationId, code, (err: any, response: any) => {
      if (err) return reject(err)
      // console.log(response)
      return resolve(response)
    })

@dennisvdvliet
Copy link

And code on this line client.verify.verify(verificationId, code, (err: any, response: any) => { is an empty string in your case?

@huckym
Copy link
Author

huckym commented Jun 2, 2023

yes, that was the json object :)

@huckym
Copy link
Author

huckym commented Jun 2, 2023

ps: sorry for the being lazy with my quick report but hope it is clear now

@dennisvdvliet
Copy link

Clear to me now.

So what seems to happens is the following. If you make an API request to verify a token but you submit and empty token token=, our API considers this a request to just view the verify message (same as a GET request) [1].

I confirmed that this has no side effects (the verify code can still be verified only with the correct token). But I will put something up for internal team to put proper validation on this parameter. This would result in a more explicit error message to the client.

Thanks again for reporting.

[1] https://developers.messagebird.com/api/verify/#view-a-verify-object

@huckym
Copy link
Author

huckym commented Jun 2, 2023

Thanks for explaining and good to know this was specific to empty token case. Yes, there is no (documented) distinction between this and a successful validation so definitely warranting a review. We're now checking for valid code length too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@huckym @dennisvdvliet