messagebird-nodejs icon indicating copy to clipboard operation
messagebird-nodejs copied to clipboard

Published 20 hours ago verified publisher icon messagebird

CRITICAL bug in your verify api

Open huckym opened this issue 2 years ago • 8 comments

Your api is validating an empty string as valid:

{
  verificationId: '4d1e1f430aeb4b6b9f3c51e3b92ad541',
  code: '',
  err: null,
  response: {
    id: '4d1e1f430aeb4b6b9f3c51e3b92ad541',
    href: 'https://rest.messagebird.com/verify/4d1e1f430aeb4b6b9f3c51e3b92ad541',
    recipient: <masked>,
    originator: <masked>,
    type: 'email',
    reference: null,
    messages: {
      href: 'https://rest.messagebird.com/verify/messages/email/5daf351594d440e2be63f80f9f9afe73',
      id: '5daf351594d440e2be63f80f9f9afe73'
    },
    status: 'sent',
    createdDatetime: '2023-05-29T10:43:48+00:00',
    validUntilDatetime: '2023-05-29T10:58:48+00:00'
  }
}

huckym avatar May 29 '23 10:05 huckym

using the latest client 4.0.1

huckym avatar May 29 '23 10:05 huckym

@huckym Thanks for opening this issue.

Could you share steps to reproduce this? I have a bit of a hard time understanding what you did based on just this snippet of JSON.

dennisvdvliet avatar Jun 02 '23 09:06 dennisvdvliet

Let me clarify. We use your node-js client but not sure if it is related to just this client but the underlying api. Passing an empty string to your verify api should've returned a non-null err in the callback but instead returning a null err and valid response.

client.verify.verify(verificationId, code, (err: any, response: any) => {
      if (err) return reject(err)
      // console.log(response)
      return resolve(response)
    })

huckym avatar Jun 02 '23 09:06 huckym

And code on this line client.verify.verify(verificationId, code, (err: any, response: any) => { is an empty string in your case?

dennisvdvliet avatar Jun 02 '23 09:06 dennisvdvliet

yes, that was the json object :)

huckym avatar Jun 02 '23 09:06 huckym

ps: sorry for the being lazy with my quick report but hope it is clear now

huckym avatar Jun 02 '23 09:06 huckym

Clear to me now.

So what seems to happens is the following. If you make an API request to verify a token but you submit and empty token token=, our API considers this a request to just view the verify message (same as a GET request) [1].

I confirmed that this has no side effects (the verify code can still be verified only with the correct token). But I will put something up for internal team to put proper validation on this parameter. This would result in a more explicit error message to the client.

Thanks again for reporting.

[1] https://developers.messagebird.com/api/verify/#view-a-verify-object

dennisvdvliet avatar Jun 02 '23 10:06 dennisvdvliet

Thanks for explaining and good to know this was specific to empty token case. Yes, there is no (documented) distinction between this and a successful validation so definitely warranting a review. We're now checking for valid code length too

huckym avatar Jun 02 '23 10:06 huckym