feat: increase entropy of OTPs generated by code strategy

Moving forward, OTPs generated by the code strategy will match pattern `[0-9a-zA-Z]{8}` instead of `[0-9]{6}`. This increases entropy and makes it easier to defend against reverse brute force attacks. See ory-corp/cloud#3724
ory · Dec 10, 2024 · 1a6bff3 · 1a6bff3
1 parent 8cbb5bd
commit 1a6bff3
Show file tree

Hide file tree

Showing 11 changed files with 521 additions and 158 deletions.
diff --git a/driver/config/config.go b/driver/config/config.go
@@ -184,6 +184,7 @@ const (
 	ViperKeyLinkLifespan                                     = "selfservice.methods.link.config.lifespan"
 	ViperKeyLinkBaseURL                                      = "selfservice.methods.link.config.base_url"
 	ViperKeyCodeLifespan                                     = "selfservice.methods.code.config.lifespan"
+	ViperKeyCodeShortLegacyCode                              = "selfservice.methods.code.config.legacy_short_code"
 	ViperKeyCodeConfigMissingCredentialFallbackEnabled       = "selfservice.methods.code.config.missing_credential_fallback_enabled"
 	ViperKeyPasswordHaveIBeenPwnedHost                       = "selfservice.methods.password.config.haveibeenpwned_host"
 	ViperKeyPasswordHaveIBeenPwnedEnabled                    = "selfservice.methods.password.config.haveibeenpwned_enabled"
@@ -1347,6 +1348,10 @@ func (p *Config) SelfServiceCodeMethodLifespan(ctx context.Context) time.Duratio
 	return p.GetProvider(ctx).DurationF(ViperKeyCodeLifespan, time.Hour)
 }
 
+func (p *Config) SelfServiceCodeMethodCodeShortLegacyCode(ctx context.Context) bool {
+	return p.GetProvider(ctx).BoolF(ViperKeyCodeShortLegacyCode, false)
+}
+
 func (p *Config) SelfServiceCodeMethodMissingCredentialFallbackEnabled(ctx context.Context) bool {
 	return p.GetProvider(ctx).Bool(ViperKeyCodeConfigMissingCredentialFallbackEnabled)
 }