Be more tolerant of user input for auth codes #518
Conversation
dd32
added
enhancement
TOTP
| <input type="tel" name="two-factor-totp-authcode" id="two-factor-totp-authcode" class="input" value="" size="20" pattern="[0-9]*" /> | ||
| <?php | ||
| /* translators: Example auth code. */ | ||
| $placeholder = sprintf( __( 'eg. %s', 'two-factor' ), '123456' ); |
There was a problem hiding this comment.
| $placeholder = sprintf( __( 'eg. %s', 'two-factor' ), '123456' ); | |
| $placeholder = sprintf( __( 'eg. %s', 'two-factor' ), '123 456' ); |
There was a problem hiding this comment.
I've taken a slightly different approach, which I'd like your review on @iandunn.
Instead of treating it like a string number, or groups of two digits, I've instead increased the width between all the characters, which both makes it easier to read, and due to the increased space, "feels like" (to me) that there's less of a requirement for spaces on the input (as it's auto-spaced).
Adding a space between the chunks like this is still possible, and ends up like this:
| Current | with extra space | user input |
|---|---|---|
 |
 |
 (no user-input spaces) |
There was a problem hiding this comment.
🤔 , I like this better than e.g., 123 456. I lean towards 123 456 being best, though. IMO blocks of numbers like in auth codes have two problems:
- they're hard to read because the numbers all run together
- they're hard to remember because the sequence is too long
Adding extra (uniform) space between each letter solves 1, but not 2. Grouping the numbers into small blocks like 123 456 solves both problems IMO.
I don't feel strongly, though. I think 1 2 3 4 5 6 is an improvement on the current situation 👍🏻
…ch show the authcode as '123 456'.
…d, they should be compared as presented (within reason) not with alterations made to the value.
…match the others, this updates the unit test.
…de do not pass, and that spaces/leading/trailing whitespace is acceptable.
…iately without a code.
…he digits with letter spacing applied.
…unction to provide the sanitization.
…() and Two_Factor_Provider::get_code().
…r Authcode inputs, add a Javascript handler to enforce numeric-only inputs.
dd32
force-pushed
the
fix/user-tolerant-input
branch
from
95e82f9 to
3ed9089
Compare
|
FWIW, GitHub itself uses
|
I've always been partial to the Stripe UI (and similar ones) that use dedicated boxes. Those that use this format however are less flexible of singular input boxes that just "accept a two factor challenge response" (ie. TOTP/Backup/Email/SMS/etc code)
|
…uto-insert a space mid-way through.
No longer needed as of two-factor v0.8.0. See WordPress/two-factor#518
Currently the TOTP (and backup codes / email codes, but that's less relevant) user input is tollerant of leading/trailing spaces, but doesn't accept TOTP codes that are entered how most apps display them:
123 456.This PR does several things:
123 456)sanitize_text_field()and usesREQUEST&wp_unslash()consistently between the providers.sanitize_text_field()has been removed as it strips characters from the provided code.. which shouldn't really be needed.. as invalid input is an invalid code.Examples using TOTP, the others are similar just with
78affixed.After Feedback from Ian:
(Spaces in input highlighted)
[0-9 ]*)are stripped and do not "enter" into the field,
avoiding the "does not match expected format" error.
Notably, it doesn't handle invalid input (non-numeric/space) well. But at least now the "Match the format requested" is more obvious based on the placeholder value presented.