Can you find the bug in this piece of php code?

Hey there!

I was doing a bit of bug-hunting in an old project of mine when I found an interesting bug. Can you find it?

If you know your security or PHP this might be quite easy for you. Otherwise, it might be a good exercise.

!! Don't look at the comments to prevent spoilers if you want to solve it by yourself !!

This is the request you would make to the server:

curl --location --request POST 'https://super.secure-api.com/check-pin' \    --header 'Content-Type: application/json' \    --header 'Authorization: Bearer <token>' \    --data-raw '{      "pin": <you_answer>    }'

And this is the code for that given endpoint (/check-pin)

if(params['pin'] != $user->getPin()) {  throw new HttpException(403, "The pin is incorrect");}return "The pin is correct!";

PD: This is just a demo, not real code. You should never check passwords/pins/secrets like this.

What input would you need to pass as pin to be able to bypass the check?

I will release a post in a couple of days explaining the bug in detail and how to fix it.