address copilot review: narrow catch to ConcurrencyFailure; doc CodeLength range

modules/identity/src/Volo.Abp.Identity.AspNetCore/Volo/Abp/Identity/AspNetCore/AbpTwoFactorTokenProvider.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Globalization;
+using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
 using System.Threading.Tasks;
@@ -125,12 +126,14 @@ public abstract class AbpTwoFactorTokenProvider : IUserTwoFactorTokenProvider<Id
         }
 
         // Translate ConcurrencyStamp failure (another request won the consume race) to false,
-        // so legitimate concurrent verification doesn't surface as a 500.
+        // so legitimate concurrent verification doesn't surface as a 500. Other persistence
+        // failures propagate so operators can see real errors.
         try
         {
             await RemoveStoredTokenAsync(manager, user, tokenName);
         }
-        catch (AbpIdentityResultException)
+        catch (AbpIdentityResultException ex) when (
+            ex.IdentityResult.Errors.Any(e => e.Code == nameof(IdentityErrorDescriber.ConcurrencyFailure)))
         {
             return false;
         }

modules/identity/src/Volo.Abp.Identity.AspNetCore/Volo/Abp/Identity/AspNetCore/AbpTwoFactorTokenProviderOptions.cs

@@ -7,6 +7,6 @@ public abstract class AbpTwoFactorTokenProviderOptions
     /// <summary>Default: 3 minutes.</summary>
     public TimeSpan TokenLifespan { get; set; } = TimeSpan.FromMinutes(3);
 
-    /// <summary>Default: 6.</summary>
+    /// <summary>Default: 6. Valid range: 1 to 9 (inclusive).</summary>
     public int CodeLength { get; set; } = 6;
 }