Recovery flow returns 403 CSRF error instead of 410 Gone when max submissions exceeded

### Preflight checklist

- [x] I could not find a solution in the existing issues, docs, nor discussions.
- [x] I agree to follow this project's [Code of Conduct](https://github.com/ory/kratos/blob/master/CODE_OF_CONDUCT.md).
- [x] I have read and am following this repository's [Contribution Guidelines](https://github.com/ory/kratos/blob/master/CONTRIBUTING.md).
- [ ] I have joined the [Ory Community Slack](https://slack.ory.sh).
- [ ] I am signed up to the [Ory Security Patch Newsletter](https://www.ory.sh/l/sign-up-newsletter).

### Ory Network Project

_No response_

### Describe the bug

The recovery flow with code strategy never reaches the max submissions check because the CSRF token becomes stale after failed code submissions. When users exceed the max submission limit (default 5), the 6th attempt fails with a 403 CSRF error instead of returning 410 Gone (as the verification flow does).

Root cause:
1. CSRF validation happens before the max submissions check in strategy_recovery.go:178
2. By the 6th attempt, the CSRF token is stale/invalid, causing CSRF validation to fail first
3. The max submissions check (which would return 400/410) never executes because CSRF fails earlier

### Reproducing the bug

1. Initiate a recovery flow with code strategy
2. Submit 5 incorrect recovery codes (attempts 1-5)
3. On the 6th attempt, submit another incorrect code
4. Observe the response

**Expected**: 410 Gone status with use_flow_id in the response (new flow created)
**Actual:**  403 Forbidden status with CSRF error message: "the request was rejected to protect you from Cross-Site-Request-Forgery"

**Code flow:**
**strategy_recovery.go:178** - CSRF check happens first
**strategy_recovery.go:197** - recoveryUseCode() is called (only if CSRF passes)
**strategy_recovery.go:344** - Max submissions check happens inside UseRecoveryCode()
Since CSRF fails at line 178, line 344 is never reached

### Relevant log output

```shell
[Log]
{
  error: "the request was rejected to protect you from Cross-Site-Request-Forgery"
}
```

### Relevant configuration

```yml
selfservice:
  methods:
    code:
      enabled: true
      config:
        passwordless_enabled: false
```

### Version

25.4.0

### On which operating system are you observing this issue?

None

### In which environment are you deploying?

None

### Additional Context

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Recovery flow returns 403 CSRF error instead of 410 Gone when max submissions exceeded #4510

Preflight checklist

Ory Network Project

Describe the bug

Reproducing the bug

Relevant log output

Relevant configuration

Version

On which operating system are you observing this issue?

In which environment are you deploying?

Additional Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Recovery flow returns 403 CSRF error instead of 410 Gone when max submissions exceeded #4510

Description

Preflight checklist

Ory Network Project

Describe the bug

Reproducing the bug

Relevant log output

Relevant configuration

Version

On which operating system are you observing this issue?

In which environment are you deploying?

Additional Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions