From b6584cdc3bbb674871eea69da36778d70f9eb308 Mon Sep 17 00:00:00 2001
From: maliming <malimings@gmail.com>
Date: Fri, 24 Apr 2026 12:06:43 +0800
Subject: [PATCH] address copilot review: narrow catch to ConcurrencyFailure;
 doc CodeLength range

---
 .../Abp/Identity/AspNetCore/AbpTwoFactorTokenProvider.cs   | 7 +++++--
 .../AspNetCore/AbpTwoFactorTokenProviderOptions.cs         | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/modules/identity/src/Volo.Abp.Identity.AspNetCore/Volo/Abp/Identity/AspNetCore/AbpTwoFactorTokenProvider.cs b/modules/identity/src/Volo.Abp.Identity.AspNetCore/Volo/Abp/Identity/AspNetCore/AbpTwoFactorTokenProvider.cs
index f4a596c433..c0cd005890 100644
--- a/modules/identity/src/Volo.Abp.Identity.AspNetCore/Volo/Abp/Identity/AspNetCore/AbpTwoFactorTokenProvider.cs
+++ b/modules/identity/src/Volo.Abp.Identity.AspNetCore/Volo/Abp/Identity/AspNetCore/AbpTwoFactorTokenProvider.cs
@@ -1,5 +1,6 @@
 using System;
 using System.Globalization;
+using System.Linq;
 using System.Security.Cryptography;
 using System.Text;
 using System.Threading.Tasks;
@@ -125,12 +126,14 @@ public abstract class AbpTwoFactorTokenProvider : IUserTwoFactorTokenProvider<Id
         }
 
         // Translate ConcurrencyStamp failure (another request won the consume race) to false,
-        // so legitimate concurrent verification doesn't surface as a 500.
+        // so legitimate concurrent verification doesn't surface as a 500. Other persistence
+        // failures propagate so operators can see real errors.
         try
         {
             await RemoveStoredTokenAsync(manager, user, tokenName);
         }
-        catch (AbpIdentityResultException)
+        catch (AbpIdentityResultException ex) when (
+            ex.IdentityResult.Errors.Any(e => e.Code == nameof(IdentityErrorDescriber.ConcurrencyFailure)))
         {
             return false;
         }
diff --git a/modules/identity/src/Volo.Abp.Identity.AspNetCore/Volo/Abp/Identity/AspNetCore/AbpTwoFactorTokenProviderOptions.cs b/modules/identity/src/Volo.Abp.Identity.AspNetCore/Volo/Abp/Identity/AspNetCore/AbpTwoFactorTokenProviderOptions.cs
index 6cda812195..973d677091 100644
--- a/modules/identity/src/Volo.Abp.Identity.AspNetCore/Volo/Abp/Identity/AspNetCore/AbpTwoFactorTokenProviderOptions.cs
+++ b/modules/identity/src/Volo.Abp.Identity.AspNetCore/Volo/Abp/Identity/AspNetCore/AbpTwoFactorTokenProviderOptions.cs
@@ -7,6 +7,6 @@ public abstract class AbpTwoFactorTokenProviderOptions
     /// <summary>Default: 3 minutes.</summary>
     public TimeSpan TokenLifespan { get; set; } = TimeSpan.FromMinutes(3);
 
-    /// <summary>Default: 6.</summary>
+    /// <summary>Default: 6. Valid range: 1 to 9 (inclusive).</summary>
     public int CodeLength { get; set; } = 6;
 }