Wrong session[:phone] == @phone_number comparison in phones_controller

openware / barong

Barong auth server

https://www.openware.com

Apache License 2.0

138 stars 262 forks source link

Wrong session[:phone] == @phone_number comparison in phones_controller #462

Closed antonror closed 6 years ago

antonror commented 6 years ago

When adding new phone, the form suggests to start with + Later, when check_phone compares session[:phone] with @phone_number extracted from params, the following happens:

return if session[:phone] == @phone_number

With the actual data, it goes down to

return if '+380999999999' == '380999999999'

return if doesn't apply correctly and there's always Confirmation code was sent to another number error

Possibly

'+380999999999'.include?'380999999999'

rxx commented 6 years ago

Phone has no '+' at that moment because of sanitizing https://github.com/rubykube/barong/blob/master/app/controllers/phones_controller.rb#L66

antonror commented 6 years ago

@maksim-litvinov correct, but please check session[:phone]. No sanitizing applies to session[:phone], it is extracted straight from session hash. And, when entered with +, like +380999999999, the code compares +380999999999 to 380999999999. That was the issue