Update recovery code generation #40723
Conversation
ghost
added
the
HaoK
requested review from
GrabYourPitchforks,
Tratcher,
wtgodbe,
sebastienros and
adityamandaleeka
| { | ||
| // We don't want to use any confusing characters like 0/O 1/I/L/l | ||
| // Taken from windows valid product key source | ||
| const string AllowedChars = "23456789BCDFGHJKMNPQRTVWXY"; |
There was a problem hiding this comment.
I understand some confusing chars were removed, in OC we also use them as lower-case which I find even more explicit. But I have the feeling upper case is more standard.
| { | ||
| // We don't want to use any confusing characters like 0/O 1/I/L/l | ||
| // Taken from windows valid product key source | ||
| const string AllowedChars = "23456789BCDFGHJKMNPQRTVWXY"; |
There was a problem hiding this comment.
There was a problem hiding this comment.
Yeah but that looks gross if I have to do it like this
private static byte[] LookupTable => new byte[] {
(byte)'0', (byte)'1', (byte)'2', (byte)'3', (byte)'4',
(byte)'5', (byte)'6', (byte)'7', (byte)'8', (byte)'9',
(byte)'A', (byte)'B', (byte)'C', (byte)'D', (byte)'E',
(byte)'F',
};
There was a problem hiding this comment.
Also I am wondering if a char[] is better than a string
private static readonly char[] AllowedChars = "23456789BCDFGHJKMNPQRTVWXY".ToCharArray();
There was a problem hiding this comment.
Perf doesn't care about gross ;) But it was just FYI, I don't think it matters here
There was a problem hiding this comment.
Yeah, totally agree that the lookup table could be faster, but yeah this is done generally only on user creation, so readability is more important. That said CharArray change seems fine though, do you want me to make that?
There was a problem hiding this comment.
I'd prefer personally the char array, more common for the usage. And also as a private static field in that case.
| @@ -2276,7 +2277,59 @@ public virtual string GenerateNewAuthenticatorKey() | |||
| /// </summary> | |||
| /// <returns></returns> | |||
| protected virtual string CreateTwoFactorRecoveryCode() | |||
| => Guid.NewGuid().ToString().Substring(0, 8); | |||
| { | |||
| var recoveryCode = new StringBuilder(11); | |||
There was a problem hiding this comment.
Since it's a fixed-length string, maybe we could use char[] instead of StringBuilder?
There was a problem hiding this comment.
Since the goal is to generate a string, in that case it wouldn't matter much, SB is allocating an array internally and then generates a single string out of it.
|
Hi @Rand-Random. It looks like you just commented on a closed PR. The team will most probably miss it. If you'd like to bring something important up to their attention, consider filing a new issue and add enough details to build context. |
Per @GrabYourPitchforks request
New format is now 5 by 5 and looks something like:
4KPMY-NK9NKValid characters are taken from the set that windows product key uses, and the implementation is copied from https://source.dot.net/#System.Security.Cryptography/System/Security/Cryptography/RandomNumberGenerator.cs,100 but modified for our specific usage (we unfortunately can't just use RNG since identity also targets non netcoreapp)