Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UserSessionController::validate_code does not correctly handle validation codes with leading zeros #2

Closed
wants to merge 1 commit into from

Conversation

cjlarose
Copy link

Consider the user enters the validation code "012345". The list of valid_codes in UserSessionController::validate_code will contain ROTP::TOTP.new(two_factor_secret).now, which is the integer 12345. When you call .to_s on that integer, you'll get "12345". "012345" != "12345", so even though the code was correct, validation fails. The solution outlined in my pull request calls .to_i on the validation_code that the user passes in and no longer calls .to_s on the validation codes computed by ROTP.

@robertwahler
Copy link
Owner

Thanks for this! I pulled and added a couple specs and made a minor change so you can pass an integer or string to the validate_code method.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants