Token with empty string return true on authenticate_otp

heapsource / active_model_otp

Adds methods to set and authenticate against one time passwords (Two-Factor Authentication). Inspired in AM::SecurePassword

MIT License

769 stars 81 forks source link

Token with empty string return true on authenticate_otp #95

Closed jarkelen closed 2 years ago

jarkelen commented 2 years ago

I authenticate the token filled in by the user like this, where params[:otp_token] is the user filled token from the view:

result = current_user.authenticate_otp(params[:otp_token], drift: 300)

I noticed when params[:otp_token] is an empty string, that the result is true, which should be false? In my opinion any empty or nil value should always result in a false result?

pedrofurtado commented 2 years ago

Hello, @jarkelen ! 👋

Thanks for your report.

I've opened a pull request with that bugfix, can you test inside your application? I believe that will be fixed now.

To test, please make something like this in your Gemfile:

gem 'active_model_otp', github: 'heapsource/active_model_otp', branch: 'master'

jarkelen commented 2 years ago

Sorry for my late reaction, it works, thanks!