feat(auth): add email-scoped report-only rate limits for passwordless OTP verify

vbudhram · vbudhram · commit 131c762ffebb · 2026-04-08T13:25:14.000-04:00
Because: * 6-digit OTP codes are vulnerable to distributed brute-force without email-scoped limits * We need production data on per-email verification volume before switching from report to block mode This commit: * Add passwordlessVerifyOtp email-scoped rule (10 per 10min, report) * Add passwordlessVerifyOtpPerDay email-scoped rule (20 per 24h, report) Closes #FXA-13331
diff --git a/packages/fxa-auth-server/config/rate-limit-rules.txt b/packages/fxa-auth-server/config/rate-limit-rules.txt
@@ -193,6 +193,8 @@ passwordlessSendOtp                    : ip               : 100         : 24 hou
 
 # Passwordless OTP Verification Limits
 passwordlessVerifyOtp                  : ip_email         : 5           : 10 minutes      : 15 minutes   : block
+passwordlessVerifyOtp                  : email            : 10          : 10 minutes      : 30 minutes   : report
 passwordlessVerifyOtp                  : ip               : 100         : 24 hours        : 15 minutes   : ban
 passwordlessVerifyOtpPerDay            : ip_email         : 10          : 24 hours        : 24 hours     : block
+passwordlessVerifyOtpPerDay            : email            : 20          : 24 hours        : 24 hours     : report
 passwordlessVerifyOtpPerDay            : ip               : 100         : 24 hours        : 15 minutes   : ban
