fix: fix false positive for empty code

wpdebruin · elpete · web-flow · commit 342d35534088 · 2022-05-02T14:15:45.000-06:00
* fix false positive for empty code

* Update TOTP.cfc

Co-authored-by: Eric Peterson &lt;eric@elpete.com&gt;
diff --git a/models/TOTP.cfc b/models/TOTP.cfc
@@ -188,6 +188,12 @@ component singleton accessors="true" {
         numeric time = variables.instant.now().getEpochSecond(),
         numeric timePeriod = 30
     ) {
+        if ( arguments.digits <= 0 ) {
+            throw(
+                type = "totp.InvalidDigitAmount",
+                message = "You must generate a code with a positive amount of digits."
+            );
+        }
         var counter = floor( arguments.time / arguments.timePeriod );
         var hash = generateHash( arguments.secret, counter, arguments.algorithm );
         return getDigitsFromHash( hash, arguments.digits );
@@ -247,6 +253,10 @@ component singleton accessors="true" {
         required numeric counter,
         string algorithm = "SHA1"
     ) {
+        // code should have a minimal length. Empty strings should not generate exceptions but just return false
+        if ( !arguments.code.len() ) {
+            return false;
+        }
         var hash = generateHash( arguments.secret, arguments.counter, arguments.algorithm );
         return getDigitsFromHash( hash, arguments.code.len() ) == arguments.code;
     }
