feat: MFA-4417 support configurable OTP length for phone factor#95
Draft
sebadoom wants to merge 1 commit into
Draft
feat: MFA-4417 support configurable OTP length for phone factor#95sebadoom wants to merge 1 commit into
sebadoom wants to merge 1 commit into
Conversation
Make validateOtp accept an optional length (default 6, preserving existing behaviour) and thread an otpLength option from the public entry point through the transaction factory to the SMS auth and SMS enrollment strategies. TOTP and recovery codes keep their fixed lengths. Enables the classic Guardian widget to honour a tenant's configured phone OTP length. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Make the OTP length configurable for the phone factor (SMS/voice) instead of hardcoding it to 6; enables the classic Guardian widget to honour a tenant's configured phone OTP length.
Changes
lib/utils/validations.js—validateOtp(otp, otpLength)now accepts an optional length. Defaults to6when omitted or non-numeric, so existing callers are unaffected. ExposesDEFAULT_OTP_LENGTH.lib/index.js— the publicauth0GuardianJS(options)entry acceptsoptions.otpLength, threaded into bothstartandresume.lib/transaction/factory.js+lib/transaction/index.js— carryotpLengthinto the transaction, applied only to the SMS auth and SMS enrollment strategies. TOTP/recovery codes keep their fixed lengths.lib/auth_strategies/{sms,otp}_auth_strategy.jsandlib/enrollment_strategies/sms_enrollment_strategy.js— validate the OTP against the configured length.Backwards compatibility
Purely additive.
validateOtp(otp)andauth0GuardianJS({...})called without a length behave exactly as before (length 6). No public signatures removed or reordered — only optional params added. Consumers opt in by passingotpLength; no coordination is required for existing integrations.Testing
npm test(eslint + mocha): 245 passing (+9 new), covering the validation primitive with explicit/omitted lengths, SMS auth verify, and SMS enrollment confirm.Notes
npm run buildcurrently fails to minify (guardian-js.min.js) becausesocket.io-client@4.xships ES6 that the pinned UglifyJS (webpack 1.x) cannot parse. This is a pre-existing issue (introduced when socket.io-client was bumped from v2 to v4), not caused by this change, but it must be resolved before publishing a standalone release. Tracking separately.