AshAuthentication.Strategy.RecoveryCode.VerifyAction
(ash_authentication v5.0.0-rc.5)
Copy Markdown
View Source
Implementation of the recovery code verify action.
Checks if a provided recovery code matches any of the user's stored hashed codes. On success, the matched code is deleted (single-use).
Uses two verification strategies depending on the hash provider:
- Deterministic (e.g. SHA-256): hashes the input once and performs an
atomic database filter+delete via
Ash.bulk_destroy. Inherently race-safe. - Non-deterministic (e.g. bcrypt): loads codes with
FOR UPDATElocking, iterates with constant-time padding, then deletes by ID.