New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UserSessionController::validate_code does not correctly handle validation codes with leading zeros #2

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
2 participants
@cjlarose

cjlarose commented Jul 26, 2013

Consider the user enters the validation code "012345". The list of valid_codes in UserSessionController::validate_code will contain ROTP::TOTP.new(two_factor_secret).now, which is the integer 12345. When you call .to_s on that integer, you'll get "12345". "012345" != "12345", so even though the code was correct, validation fails. The solution outlined in my pull request calls .to_i on the validation_code that the user passes in and no longer calls .to_s on the validation codes computed by ROTP.

@robertwahler

This comment has been minimized.

Show comment
Hide comment
@robertwahler

robertwahler Jul 26, 2013

Owner

Thanks for this! I pulled and added a couple specs and made a minor change so you can pass an integer or string to the validate_code method.

Owner

robertwahler commented Jul 26, 2013

Thanks for this! I pulled and added a couple specs and made a minor change so you can pass an integer or string to the validate_code method.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment