From 54d1c4439d248f31dec606583eba6d2c99cc3f06 Mon Sep 17 00:00:00 2001 From: Focuslinkstech <45756999+Focuslinkstech@users.noreply.github.com> Date: Wed, 21 Feb 2024 10:02:31 +0100 Subject: [PATCH 1/2] Bug Fix: OTP bugs add phone number validation to prevent invalid phone number, phone number must be 10 digits up fix issue with updating phone number without OTP --- system/controllers/accounts.php | 69 +++++++++++++++++++++++++-------- ui/ui/app-settings.tpl | 15 +++++++ 2 files changed, 67 insertions(+), 17 deletions(-) diff --git a/system/controllers/accounts.php b/system/controllers/accounts.php index 423134b..73b3f9c 100644 --- a/system/controllers/accounts.php +++ b/system/controllers/accounts.php @@ -122,6 +122,7 @@ switch ($action) { } break; + case 'phone-update': $d = ORM::for_table('tbl_customers')->find_one($user['id']); @@ -139,6 +140,11 @@ switch ($action) { $username = $user['username']; $otpPath = 'system/cache/sms/'; + // Validate the phone number format + if (!preg_match('/^[0-9]{10,}$/', $phone)) { + r2(U . 'accounts/phone-update', 'e', Lang::T('Invalid phone number format')); + } + if (empty($config['sms_url'])) { r2(U . 'accounts/phone-update', 'e', Lang::T('SMS server not Available, Please try again later')); } @@ -163,7 +169,16 @@ switch ($action) { $otp = rand(100000, 999999); file_put_contents($otpFile, $otp); file_put_contents($phoneFile, $phone); - Message::sendSMS($phone, $config['CompanyName'] . "\n Your Verification code is: $otp"); + // send send OTP to user + if ($_c['phone_otp_type'] === 'sms') { + Message::sendSMS($phone, $config['CompanyName'] . "\n Your Verification code is: $otp"); + } elseif ($_c['phone_otp_type'] === 'whatsapp') { + Message::sendWhatsapp($phone, $config['CompanyName'] . "\n Your Verification code is: $otp"); + } elseif ($_c['phone_otp_type'] === 'both') { + Message::sendSMS($phone, $config['CompanyName'] . "\n Your Verification code is: $otp"); + Message::sendWhatsapp($phone, $config['CompanyName'] . "\n Your Verification code is: $otp"); + } + //redirect after sending OTP r2(U . 'accounts/phone-update', 'e', Lang::T('Verification code has been sent to your phone')); } } @@ -177,41 +192,61 @@ switch ($action) { $username = $user['username']; $otpPath = 'system/cache/sms/'; + // Validate the phone number format + if (!preg_match('/^[0-9]{10,}$/', $phone)) { + r2(U . 'accounts/phone-update', 'e', Lang::T('Invalid phone number format')); + exit(); + } + if (!empty($config['sms_url'])) { $otpFile = $otpPath . sha1($username . $db_password) . ".txt"; $phoneFile = $otpPath . sha1($username . $db_password) . "_phone.txt"; + + // Check if OTP file exists + if (!file_exists($otpFile)) { + r2(U . 'accounts/phone-update', 'e', Lang::T('Please request OTP first')); + exit(); + } + // expired 10 minutes - if (file_exists($otpFile) && time() - filemtime($otpFile) > 1200) { + if (time() - filemtime($otpFile) > 1200) { unlink($otpFile); unlink($phoneFile); - r2(U . 'accounts/phone-update', 'e', 'Verification code expired'); - } else if (file_exists($otpFile)) { + r2(U . 'accounts/phone-update', 'e', Lang::T('Verification code expired')); + exit(); + } else { $code = file_get_contents($otpFile); + + // Check if OTP code matches if ($code != $otp_code) { - r2(U . 'accounts/phone-update', 'e', 'Wrong Verification code'); + r2(U . 'accounts/phone-update', 'e', Lang::T('Wrong Verification code')); exit(); - } elseif (file_exists($phoneFile)) { - $savedPhone = file_get_contents($phoneFile); - if ($savedPhone !== $phone) { - r2(U . 'accounts/phone-update', 'e', 'The phone number does not match the one that requested the OTP'); - exit(); - } else { - unlink($otpFile); - unlink($phoneFile); - } - } else { - r2(U . 'accounts/phone-update', 'e', 'No Verification code'); } + + // Check if the phone number matches the one that requested the OTP + $savedPhone = file_get_contents($phoneFile); + if ($savedPhone !== $phone) { + r2(U . 'accounts/phone-update', 'e', Lang::T('The phone number does not match the one that requested the OTP')); + exit(); + } + + // OTP verification successful, delete OTP and phone number files + unlink($otpFile); + unlink($phoneFile); } + } else { + r2(U . 'accounts/phone-update', 'e', Lang::T('SMS server not available')); + exit(); } + // Update the phone number in the database $d = ORM::for_table('tbl_customers')->where('username', $username)->find_one(); if ($d) { $d->phonenumber = Lang::phoneFormat($phone); $d->save(); } - r2(U . 'accounts/profile', 's', 'Phone number updated successfully'); + r2(U . 'accounts/profile', 's', Lang::T('Phone number updated successfully')); break; default: diff --git a/ui/ui/app-settings.tpl b/ui/ui/app-settings.tpl index 7023f86..73ca71b 100644 --- a/ui/ui/app-settings.tpl +++ b/ui/ui/app-settings.tpl @@ -475,6 +475,21 @@

{Lang::T('OTP is required when user want to change phone number')}

+
+ +
+ +
+

{Lang::T('The method which OTP will be sent to user')}

+
{*
From 17c1675b4ab4701bc104a243d1545db3ab63bdb5 Mon Sep 17 00:00:00 2001 From: Focuslinkstech <45756999+Focuslinkstech@users.noreply.github.com> Date: Wed, 21 Feb 2024 10:13:05 +0100 Subject: [PATCH 2/2] Update accounts.php fix lang function --- system/controllers/accounts.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/controllers/accounts.php b/system/controllers/accounts.php index 73b3f9c..51f31a3 100644 --- a/system/controllers/accounts.php +++ b/system/controllers/accounts.php @@ -84,7 +84,7 @@ switch ($action) { $ui->assign('d', $d); $ui->display('user-profile.tpl'); } else { - r2(U . 'home', 'e', $_L['Account_Not_Found']); + r2(U . 'home', 'e', Lang::T('Account Not Found')); } break;