Merge pull request #19526 from mozilla/FXA-12471

dschom · web-flow · commit cb2860a56ee8 · 2025-09-30T11:46:04.000-07:00
bug(settings): Fix rate-limit rule on mfa verify code
diff --git a/packages/fxa-auth-server/config/rate-limit-rules.txt b/packages/fxa-auth-server/config/rate-limit-rules.txt
@@ -144,10 +144,11 @@ recoveryPhoneSendSigninCode           : ip                : 100         : 24 hou
 # the counts that effect 2FA activity.
 #
 mfaOtpCodeRequestForEmail              : uid              : 10          : 5 minutes       : 15 minutes   : block
-mfaVerifyOtpCodeForEmail               : uid              : 5           : 5 minutes       : 15 minutes   : block
 mfaOtpCodeRequestFor2fa                : uid              : 10          : 5 minutes       : 15 minutes   : block
-mfaVerifyOtpCodeFor2fa                 : uid              : 5           : 5 minutes       : 15 minutes   : block
 mfaOtpCodeRequestForPassword           : uid              : 10          : 5 minutes       : 15 minutes   : block
-mfaVerifyOtpCodeForPassword            : uid              : 5           : 5 minutes       : 15 minutes   : block
 mfaOtpCodeRequestForRecoveryKey        : uid              : 10          : 5 minutes       : 15 minutes   : block
-mfaVerifyOtpCodeForRecoveryKey         : uid              : 5           : 5 minutes       : 15 minutes   : block
+# Verify Code rate limits
+mfaOtpCodeVerifyForEmail               : uid              : 5           : 5 minutes       : 15 minutes   : block
+mfaOtpCodeVerifyFor2fa                 : uid              : 5           : 5 minutes       : 15 minutes   : block
+mfaOtpCodeVerifyForPassword            : uid              : 5           : 5 minutes       : 15 minutes   : block
+mfaOtpCodeVerifyForRecoveryKey         : uid              : 5           : 5 minutes       : 15 minutes   : block
