From bff9880d6319745524a892e148a91170092b927a Mon Sep 17 00:00:00 2001
From: Sam Saffron <sam.saffron@gmail.com>
Date: Tue, 21 Jan 2020 15:32:06 +1100
Subject: [PATCH] DEV: increase the length of backup codes

16 ^ 8 though not tiny but is a workable search space in the event of
breach, 16 ^ 16 is not.
---
 app/models/concerns/second_factor_manager.rb | 2 +-
 spec/requests/users_controller_spec.rb       | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/models/concerns/second_factor_manager.rb b/app/models/concerns/second_factor_manager.rb
index b8362cae735..3db84af886f 100644
--- a/app/models/concerns/second_factor_manager.rb
+++ b/app/models/concerns/second_factor_manager.rb
@@ -191,7 +191,7 @@ module SecondFactorManager
   def generate_backup_codes
     codes = []
     10.times do
-      codes << SecureRandom.hex(8)
+      codes << SecureRandom.hex(16)
     end
 
     codes_json = codes.map do |code|
diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb
index 6fa59dc9d79..e061734c751 100644
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -3548,7 +3548,8 @@ describe UsersController do
 
           response_body = JSON.parse(response.body)
 
-          expect(response_body['backup_codes'].length).to be(10)
+          # we use SecureRandom.hex(16) for backup codes, ensure this continues to be the case
+          expect(response_body['backup_codes'].map(&:length)).to eq([32] * 10)
         end
       end
     end