Bug with response logic #3
Description
According to the docs: https://developers.yubico.com/yubikey-val/Validation_Protocol_V2.0.html a 200 response is returned under multiple conditions including if the Id is incorrect but present as well as other conditions. This leads to a situation where if a parameter is missing, such as inputting an incorrect value for the api id, the bot responds that it has invalidated the OTP because the response was 200, but in fact, the status is MISSING_PARAMETER instead.
This should match the response text on "status=OK" instead and probably handle the other response statuses as well, especially those that the user controls.
From the docs:
| name | meaning |
|---|---|
| OK | The OTP is valid. |
| BAD_OTP | The OTP is invalid format. |
| REPLAYED_OTP | The OTP has already been seen by the service. |
| BAD_SIGNATURE | The HMAC signature verification failed. |
| MISSING_PARAMETER | The request lacks a parameter. |
| NO_SUCH_CLIENT | The request id does not exist. |
| OPERATION_NOT_ALLOWED | The request id is not allowed to verify OTPs. |
| BACKEND_ERROR | Unexpected error in our server. Please contact us if you see this error. |
| NOT_ENOUGH_ANSWERS | Server could not get requested number of syncs during before timeout |
| REPLAYED_REQUEST | Server has seen the OTP/Nonce combination before |