[Bug]: Valid MFA recovery codes rejected by client-side validation

[lukasdebaum]

Describe the problem

Valid MFA recovery codes are never sent to the server. Instead, the browser shows “Please enter a valid recovery code.” and blocks submission.

Root cause: In the mfa_verify.html template, the recovery code input (id="recovery_code", name="mfa_code") has minlength="20", while the default configuration sets recovery codes to 10 characters ('recovery_code_length' => 10). The client-side (HTML/JS) validation deems 10-char codes too short and prevents the request from being submitted.

Steps to reproduce

1. Enable MFA recovery codes with the default setting (recovery_code_length = 10)
2. Enable MFA for a user (e.g., Authenticator App)
3. Note down the generated MFA recovery codes
4. Log in as that user
5. Click “Use a recovery code.”
6. Enter a valid, generated 10-character recovery code
7. Submit the form
8. The browser shows “Please enter a valid recovery code.”

Poweradmin version

4.0.1

Database

MySQL

Additional information (optional)

No response

[edmondas]

@lukasdebaum Thanks for sharing details, it was fixed in master and upcoming patch release branches.