Merge pull request #18971 from mozilla/bug-verifySession-rate-limit-config

dschom · web-flow · commit c209e30cf8ba · 2025-06-04T11:06:03.000-07:00
bug(auth): The rule for verifySessionCode should have been on uid
diff --git a/packages/fxa-auth-server/config/rate-limit-rules.txt b/packages/fxa-auth-server/config/rate-limit-rules.txt
@@ -68,7 +68,7 @@
   verifyRecoveryCode                    : ip                : 10            : 10 minutes        : 30 minutes
   verifyRecoveryCode                    : email             : 10            : 15 minutes        : 15 minutes
   verifySessionCode                     : ip                : 10            : 10 minutes        : 30 minutes
-  verifySessionCode                     : email             : 10            : 15 minutes        : 15 minutes
+  verifySessionCode                     : uid               : 10            : 15 minutes        : 15 minutes
 
 # Verify TOTP Code Limits
   verifyTotpCode                        : uid               : 10            : 30 seconds        : 15 minutes
