search

silverstripe / silverstripe-mfa

MultiFactor Authentication for Silverstripe CMS
BSD 3-Clause "New" or "Revised" License
11 stars 24 forks source link

Recovery codes have 'space' characters, form doesn't accept it #435

Closed brynwhyman closed 2 years ago

brynwhyman commented 3 years ago

Overview

MFA recovery codes are provided with space characters in the .txt file. However, the recovery code form does not accept spaces and will alert the user that the code is invalid when pasted directly.

The user needs to remove the spaces, but there's no guidance to know that this is the case.

HeyImPhil commented 2 years ago

From what I can see this only affects the user if they manually copy directly from the register screen as both the Download and Copy codes buttons correctly output without the spaces.

Potential Options could be:

  1. Add copy on the registration or verify pages that no spaces should be included.
  2. Remove spaces from the recovery codes on the registration page and print document. (will affect appearance)
  3. Remove the white space during the verification of the recovery code.

I am happy to create a PR if someone has a preference or a better solution.

michalkleiner commented 2 years ago

Option 3 is the most 'standard user'-proof since spaces are not valid characters in those anyway (right?), so we can possibly just run it via [a-ZA-Z0-9] regex or something along those lines.

GuySartorelli commented 2 years ago

Fixed by #463