Allow customizable authorization code lengths

[dstaley]

Currently, emailed auth codes are 12 characters long. Source

It would be nice to be able to makes these code shorter, especially in instances where users might be typing these codes by hand into devices with limited input methods like TV apps and apps on feature phones.

For example, here are a few apps that use shorter codes:

Plex, 4 characters (alphanumeric)

Amazon Prime Video, 6 characters (alphanumeric)

Android TV, 6 characters (numeric)

Disney+, 8 characters (numeric)

Additionally, it might be nice to allow customizing the character set, so you could support fully numeric codes.

I'd be happy to open a PR adding one or both of these configuration properties.

[stephank]

Sorry for the late response. I think this is a good idea, maybe something like:

auth_code_charset = "13456789abcdefghijkmnopqrstuwxyz"
auth_code_length = [6, 6]

I'm not sure what the best way is to do auth_code_length. It'd be nice to keep the grouping we currently have in some way, and also make it work for other configurations.

But I think we also need to motivate our defaults, and how they relate to session_ttl and rate limits to prevent brute forcing. The theory behind this is not really my strong suit, but the previous discussion is in #69. I don't believe we had rate limiting in place back then, so maybe we can even relax our defaults a bit.