Make SMS auth codes expire after 10 minutes #2480

modules/member/lang/en.php

@@ -87,6 +87,7 @@ $lang->verify_by_sms_confirm = 'Confirm';
 $lang->verify_by_sms_message = 'Your verification code is %s.';
 $lang->verify_by_sms_code_sent = 'A verification code has been sent to the number you entered.';
 $lang->verify_by_sms_code_incorrect = 'The code you entered is incorrect.';
+$lang->verify_by_sms_code_expired = 'The code has expired. Please try again.';
 $lang->verify_by_sms_code_confirmed = 'Your phone number has been confirmed.';
 $lang->verify_by_sms_incomplete = 'Your phone number has not been verified. Please go through the verification process first.';
 $lang->verify_by_sms_error = 'This website cannot send SMS.';

modules/member/lang/ko.php

@@ -87,6 +87,7 @@ $lang->verify_by_sms_confirm = '인증번호 확인';
 $lang->verify_by_sms_message = '인증번호는 %s입니다.';
 $lang->verify_by_sms_code_sent = '인증번호가 SMS로 발송되었습니다.';
 $lang->verify_by_sms_code_incorrect = '인증번호가 올바르지 않습니다.';
+$lang->verify_by_sms_code_expired = '인증번호의 유효기간이 만료되었습니다. 다시 인증해 주세요.';
 $lang->verify_by_sms_code_confirmed = '인증이 완료되었습니다.';
 $lang->verify_by_sms_incomplete = '전화번호가 인증되지 않았습니다. 인증 과정을 거쳐 주십시오.';
 $lang->verify_by_sms_error = 'SMS를 발송할 수 없습니다.';

modules/member/member.controller.php

@@ -3776,6 +3776,7 @@ class MemberController extends Member
 			'country' => $phone_country,
 			'number' => $phone_number,
 			'code' => $is_special ? intval($config->special_phone_code) : $code,
+			'time' => time(),
 			'status' => false,
 		);
 
@@ -3829,6 +3830,11 @@ class MemberController extends Member
 			throw new Rhymix\Framework\Exception('verify_by_sms_code_incorrect');
 		}
 
+		if (isset($_SESSION['verify_by_sms']['time']) && $_SESSION['verify_by_sms']['time'] < time() - 600)
+		{
+			throw new Rhymix\Framework\Exception('verify_by_sms_code_expired');
+		}
+
 		$_SESSION['verify_by_sms']['status'] = true;
 		return new BaseObject(0, 'verify_by_sms_code_confirmed');
 	}