Merged PR 49098: [internal/release/2.3] Add empty string check for recovery code

# Add empty string check for recovery code

If an empty string gets passed as the recovery code to `UserStoreBase.RedeemCodeAsync(TUser user, string code, CancellationToken ct)`, the method returns `true`, incorrectly indicating a valid recovery code. This PR resolves the issue by validating that the `code` argument is not an empty string.

## Description

The `RedeemCodeAsync()` method already validates that `code` is non-null. This PR:
* Extends the logic in this method to handle the empty string (`""`) case
* Adds tests validating that an exception gets thrown when `code` is `null` or `""`

----
#### AI description  (iteration 1)
#### PR Classification
Bug fix

#### PR Summary
This pull request adds a check for empty recovery codes to prevent invalid inputs.
- `src/Identity/Extensions.Stores/src/UserStoreBase.cs`: Added a check to throw an `ArgumentException` if the recovery code is an empty string.
- `src/Identity/EntityFrameworkCore/test/EF.Test/UserStoreTest.cs`: Added tests to ensure `RedeemCodeAsync` throws appropriate exceptions for null and empty recovery codes.
<!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->

----
#### AI description  (iteration 1)
#### PR Classification
Bug fix

#### PR Summary
This pull request adds a check for empty recovery codes to prevent invalid inputs.
- `src/Identity/Extensions.Stores/src/UserStoreBase.cs`: Added a check to throw an `ArgumentException` if the recovery code is an empty string.
- `src/Identity/EntityFrameworkCore/test/EF.Test/UserStoreTest.cs`: Added tests to ensure `RedeemCodeAsync` throws appropriate exceptions for null and empty recovery codes.

Author: Mackinnon Buck

eng/PatchConfig.props

@@ -20,6 +20,7 @@ Later on, this will be checked using this condition:
   </PropertyGroup>
   <PropertyGroup Condition=" '$(VersionPrefix)' == '2.3.2' ">
     <PackagesInPatch>
+      Microsoft.Extensions.Identity.Stores;
     </PackagesInPatch>
   </PropertyGroup>
 </Project>

src/Identity/EntityFrameworkCore/test/EF.Test/UserStoreTest.cs

@@ -165,6 +165,9 @@ await Assert.ThrowsAsync<ArgumentNullException>("user",
             await Assert.ThrowsAsync<ArgumentNullException>("user", async () => await store.GetTwoFactorEnabledAsync(null));
             await Assert.ThrowsAsync<ArgumentNullException>("user",
                 async () => await store.SetTwoFactorEnabledAsync(null, true));
+            await Assert.ThrowsAsync<ArgumentNullException>("user", async () => await store.RedeemCodeAsync(user: null, code: "fake", default));
+            await Assert.ThrowsAsync<ArgumentNullException>("code", async () => await store.RedeemCodeAsync(new IdentityUser("fake"), code: null, default));
+            await Assert.ThrowsAsync<ArgumentException>("code", async () => await store.RedeemCodeAsync(new IdentityUser("fake"), code: "", default));
             await Assert.ThrowsAsync<ArgumentNullException>("user", async () => await store.GetAccessFailedCountAsync(null));
             await Assert.ThrowsAsync<ArgumentNullException>("user", async () => await store.GetLockoutEnabledAsync(null));
             await Assert.ThrowsAsync<ArgumentNullException>("user", async () => await store.SetLockoutEnabledAsync(null, false));

src/Identity/Extensions.Stores/src/UserStoreBase.cs

@@ -1060,6 +1060,10 @@ public virtual async Task<bool> RedeemCodeAsync(TUser user, string code, Cancell
             {
                 throw new ArgumentNullException(nameof(code));
             }
+            if (code.Length == 0)
+            {
+                throw new ArgumentException("Must not be null or empty", nameof(code));
+            }
 
             var mergedCodes = await GetTokenAsync(user, InternalLoginProvider, RecoveryCodeTokenName, cancellationToken) ?? "";
             var splitCodes = mergedCodes.Split(';');