feat: MFA-4417/MFA-4751 read configurable phone OTP length from the transaction#96
Open
sebadoom wants to merge 2 commits into
Open
feat: MFA-4417/MFA-4751 read configurable phone OTP length from the transaction#96sebadoom wants to merge 2 commits into
sebadoom wants to merge 2 commits into
Conversation
…response Source the configurable phone (SMS/voice) OTP length from the mfa-api transaction start-flow response (factor_settings.phone.otp_length, camelCased to factorSettings.phone.otpLength) instead of a caller-supplied constructor option. The length is threaded only into the SMS auth and SMS enrollment strategies; TOTP and recovery codes keep their fixed lengths. - validateOtp(otp, otpLength) accepts an optional expected length and defaults to 6, so existing callers are unaffected. Exposes DEFAULT_OTP_LENGTH. - The length is persisted in transaction.serialize() and restored by fromTransactionState, so resumed transactions validate the same length. - When factor_settings is absent (older mfa-api, or the mfa_advanced_factor_config flag off), the strategies fall back to 6. This is the v2 (mfa-api response channel) design from the RFD. Unlike the superseded host-page attribute approach, no host page (widget.ejs or a tenant custom MFA page) needs to change. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
sebadoom
changed the title
…n factory Assert the configured phone OTP length is threaded into the SMS enrollment strategy (enrollmentStrategies.sms.confirm), not just the SMS auth strategy: a code of the wrong length is rejected and a correct one is accepted, mirroring the existing auth-strategy coverage. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Make the phone factor (SMS/voice) OTP length configurable instead of hardcoding it to 6, sourcing the length from the transaction start-flow response. The library self-sources the length from the transaction it already fetches — the hosting application passes nothing, and the public API (
auth0GuardianJS(options)) is unchanged.Changes
lib/utils/validations.js—validateOtp(otp, otpLength)(an internal helper, not part of the public API) accepts an optional expected length, defaulting to6when omitted or non-numeric. ExposesDEFAULT_OTP_LENGTH.lib/transaction/factory.js— reads the length from the start-flow response atfactorSettings.phone.otpLengthand carries it into the transaction; restores it from serialized state infromTransactionState.lib/transaction/index.js— applies the length only to the SMS auth and SMS enrollment strategies (TOTP and recovery codes keep their fixed lengths), and persists it inserialize()so resumed transactions validate the same length.lib/auth_strategies/{sms,otp}_auth_strategy.jsandlib/enrollment_strategies/sms_enrollment_strategy.js— validate the OTP against the configured length.Public API
No change. The package entry (
auth0GuardianJS) takes no new option and exposes no new method;validateOtpis an internal helper not reachable from the public surface. The configured length flows in entirely from the mfa-api start-flow response, so the library never asks the embedder to provide it.Backwards compatibility
Purely additive. When the start-flow response does not include
factorSettings.phone.otpLength, the SMS strategies fall back to length 6 — existing behaviour is unchanged.validateOtp(otp)called without a length behaves exactly as before. No public signatures removed or reordered.Testing
npm test(mocha): 244 passing (+8 new), covering the validation primitive with explicit/omitted lengths and a transaction-factory suite that asserts the length is threaded into the SMS strategies, falls back to 6 when absent, and survives aserialize/fromTransactionStateround-trip.Notes
npm run buildcurrently fails to minify (guardian-js.min.js) becausesocket.io-client@4.xships ES6 that the pinned UglifyJS (webpack 1.x) cannot parse. Pre-existing (introduced when socket.io-client was bumped v2→v4), not caused by this change, but must be resolved before publishing a standalone release. Tracking separately.