Merge pull request #3906 from appwrite/fix-phone-secret-hash

fix: hash phone auth code
2026-05-23 08:58:35 +00:00 · 2022-09-24 17:49:52 +03:00 · 2022-09-24 17:49:52 +03:00 · 80ce2b2464
commit 80ce2b2464
parent ef65503173 7abb426e3f
2 changed files with 3 additions and 3 deletions
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@ -938,7 +938,7 @@ App::post('/v1/account/sessions/phone')
            'userId' => $user->getId(),
            'userInternalId' => $user->getInternalId(),
            'type' => Auth::TOKEN_TYPE_PHONE,
-            'secret' => $secret,
+            'secret' => Auth::hash($secret),
            'expire' => $expire,
            'userAgent' => $request->getUserAgent('UNKNOWN'),
            'ip' => $request->getIP(),
@ -2266,7 +2266,7 @@ App::post('/v1/account/verification/phone')
            'userId' => $user->getId(),
            'userInternalId' => $user->getInternalId(),
            'type' => Auth::TOKEN_TYPE_PHONE,
-            'secret' => $secret,
+            'secret' => Auth::hash($secret),
            'expire' => $expire,
            'userAgent' => $request->getUserAgent('UNKNOWN'),
            'ip' => $request->getIP(),
--- a/src/Appwrite/Auth/Auth.php
+++ b/src/Appwrite/Auth/Auth.php
@ -336,7 +336,7 @@ class Auth
                $token->isSet('secret') &&
                $token->isSet('expire') &&
                $token->getAttribute('type') == Auth::TOKEN_TYPE_PHONE &&
-                $token->getAttribute('secret') === $secret &&
+                $token->getAttribute('secret') === self::hash($secret) &&
                DateTime::formatTz($token->getAttribute('expire')) >= DateTime::formatTz(DateTime::now())
            ) {
                return (string) $token->getId();