Check verification codes for changing phone numbers against the stand-alone registration service when possible

2022-10-13 18:04:15 -04:00 · 2022-10-13 18:04:15 -04:00 · 0a64e31625
parent 3c6c6c3706
commit 0a64e31625
2 changed files with 65 additions and 3 deletions
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
@ -552,13 +552,20 @@ public class AccountController {

      rateLimiters.getVerifyLimiter().validate(number);

-      final Optional<StoredVerificationCode> storedVerificationCode = pendingAccounts.getCodeForNumber(number);
+      final Optional<StoredVerificationCode> maybeStoredVerificationCode = pendingAccounts.getCodeForNumber(number);

-      if (storedVerificationCode.isEmpty() || !storedVerificationCode.get().isValid(request.code())) {
+      final boolean codeVerified = maybeStoredVerificationCode.map(storedVerificationCode ->
+              storedVerificationCode.sessionId() != null ?
+                  registrationServiceClient.checkVerificationCode(storedVerificationCode.sessionId(),
+                      request.code(), REGISTRATION_RPC_TIMEOUT).join() :
+                  storedVerificationCode.isValid(request.code()))
+          .orElse(false);
+
+      if (!codeVerified) {
        throw new ForbiddenException();
      }

-      storedVerificationCode.map(StoredVerificationCode::twilioVerificationSid)
+      maybeStoredVerificationCode.map(StoredVerificationCode::twilioVerificationSid)
          .ifPresent(
              verificationSid -> smsSender.reportVerificationSucceeded(verificationSid, userAgent, "changeNumber"));

--- a/service/src/test/java/org/whispersystems/textsecuregcm/controllers/AccountControllerTest.java
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/controllers/AccountControllerTest.java
@ -1452,6 +1452,35 @@ class AccountControllerTest {
    assertThat(accountIdentityResponse.getPni()).isNotEqualTo(AuthHelper.VALID_PNI);
  }

+  @Test
+  void testChangePhoneNumberWithRegistrationService() throws Exception {
+    final String number = "+18005559876";
+    final String code = "987654";
+    final byte[] sessionId = "session".getBytes(StandardCharsets.UTF_8);
+
+    when(pendingAccountsManager.getCodeForNumber(number)).thenReturn(Optional.of(
+        new StoredVerificationCode(code, System.currentTimeMillis(), "push", null, sessionId)));
+
+    when(registrationServiceClient.checkVerificationCode(any(), any(), any()))
+        .thenReturn(CompletableFuture.completedFuture(true));
+
+    final AccountIdentityResponse accountIdentityResponse =
+        resources.getJerseyTest()
+            .target("/v1/accounts/number")
+            .request()
+            .header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
+            .put(Entity.entity(new ChangePhoneNumberRequest(number, code, null, null, null, null, null),
+                MediaType.APPLICATION_JSON_TYPE), AccountIdentityResponse.class);
+
+    verify(registrationServiceClient).checkVerificationCode(sessionId, code, AccountController.REGISTRATION_RPC_TIMEOUT);
+
+    verify(changeNumberManager).changeNumber(eq(AuthHelper.VALID_ACCOUNT), eq(number), any(), any(), any(), any());
+
+    assertThat(accountIdentityResponse.getUuid()).isEqualTo(AuthHelper.VALID_UUID);
+    assertThat(accountIdentityResponse.getNumber()).isEqualTo(number);
+    assertThat(accountIdentityResponse.getPni()).isNotEqualTo(AuthHelper.VALID_PNI);
+  }
+
  @Test
  void testChangePhoneNumberImpossibleNumber() throws Exception {
    final String number = "This is not a real phone number";
@ -1544,6 +1573,32 @@ class AccountControllerTest {
    verify(changeNumberManager, never()).changeNumber(any(), any(), any(), any(), any(), any());
  }

+  @Test
+  void testChangePhoneNumberIncorrectCodeWithRegistrationService() throws Exception {
+    final String number = "+18005559876";
+    final String code = "987654";
+    final byte[] sessionId = "session-id".getBytes(StandardCharsets.UTF_8);
+
+    when(pendingAccountsManager.getCodeForNumber(number)).thenReturn(Optional.of(
+        new StoredVerificationCode(code, System.currentTimeMillis(), "push", null, sessionId)));
+
+    when(registrationServiceClient.checkVerificationCode(any(), any(), any()))
+        .thenReturn(CompletableFuture.completedFuture(false));
+
+    final Response response =
+        resources.getJerseyTest()
+            .target("/v1/accounts/number")
+            .request()
+            .header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
+            .put(Entity.entity(new ChangePhoneNumberRequest(number, code, null, null, null, null, null),
+                MediaType.APPLICATION_JSON_TYPE));
+
+    verify(registrationServiceClient).checkVerificationCode(sessionId, code, AccountController.REGISTRATION_RPC_TIMEOUT);
+
+    assertThat(response.getStatus()).isEqualTo(403);
+    verify(changeNumberManager, never()).changeNumber(any(), any(), any(), any(), any(), any());
+  }
+
  @Test
  void testChangePhoneNumberExistingAccountReglockNotRequired() throws Exception {
    final String number = "+18005559876";