feat: Limit number of check code attempts to 5

Author: 86667

src/infrastructure/config.rs

@@ -25,6 +25,11 @@ pub struct EnvConfig {
     pub max_sms_verifications_per_year: u32,
     #[serde(default)]
     pub sms_verifications_limit_whitelist: Vec<PhoneNumber>,
+    /// Maximum number of code validation attempts per verification session.
+    /// Prelude seems to fail silently after 5 failures regardless of how its configured.
+    /// We count attempts here to guard against this.
+    #[serde(default = "default_max_sms_validation_attempts")]
+    pub max_sms_validation_attempts: u32,
     #[serde(default = "default_lightning_verification_price_sat")]
     pub lightning_invoice_price_sat: u64,
     #[serde(default = "default_lightning_verification_expiry_seconds")]
@@ -49,6 +54,10 @@ fn default_max_sms_verifications_per_year() -> u32 {
     4
 }
 
+fn default_max_sms_validation_attempts() -> u32 {
+    5
+}
+
 fn default_lightning_verification_expiry_seconds() -> u64 {
     60 * 10
 }
@@ -93,6 +102,7 @@ impl EnvConfig {
             max_sms_verifications_per_week: 2,
             max_sms_verifications_per_year: 4,
             sms_verifications_limit_whitelist: vec![],
+            max_sms_validation_attempts: 3,
             allow_cors: true,
             lightning_invoice_price_sat: 1000,
             lightning_invoice_expiry_seconds: 60 * 10,

src/infrastructure/sql/migrations/m20260120_add_validation_attempts.rs

@@ -0,0 +1,26 @@
+use async_trait::async_trait;
+use sea_query::{ColumnDef, PostgresQueryBuilder, Table};
+use sqlx::Transaction;
+
+use crate::infrastructure::sql::MigrationTrait;
+
+pub struct M20260120AddValidationAttempts;
+
+#[async_trait]
+impl MigrationTrait for M20260120AddValidationAttempts {
+    async fn up(&self, tx: &mut Transaction<'static, sqlx::Postgres>) -> anyhow::Result<()> {
+        let statement = Table::alter()
+            .table("sms_verifications")
+            .add_column(ColumnDef::new("attempts").integer().not_null().default(0))
+            .to_owned();
+
+        let query = statement.build(PostgresQueryBuilder);
+        sqlx::query(&query).execute(&mut **tx).await?;
+
+        Ok(())
+    }
+
+    fn name(&self) -> &str {
+        "m20260120_add_validation_attempts"
+    }
+}

src/infrastructure/sql/migrations/mod.rs

@@ -1,2 +1,3 @@
 pub mod m20251201_create_sms_verifications;
 pub mod m20251216_create_ln_verification;
+pub mod m20260120_add_validation_attempts;

src/infrastructure/sql/migrator.rs

@@ -7,6 +7,7 @@ use crate::infrastructure::sql::{
     migrations::{
         m20251201_create_sms_verifications::M20251201CreateSmsVerifications,
         m20251216_create_ln_verification::M20251216CreateLnVerification,
+        m20260120_add_validation_attempts::M20260120AddValidationAttempts,
     },
 };
 
@@ -31,6 +32,7 @@ impl<'a> Migrator<'a> {
         vec![
             Box::new(M20251201CreateSmsVerifications),
             Box::new(M20251216CreateLnVerification),
+            Box::new(M20260120AddValidationAttempts),
         ]
     }
 

src/sms_verification/app_state.rs

@@ -23,6 +23,7 @@ impl AppState {
             homeserver_admin_api.clone(),
             config.max_sms_verifications_per_week,
             config.max_sms_verifications_per_year,
+            config.max_sms_validation_attempts,
             config.sms_verifications_limit_whitelist.clone(),
         );
         Self {

src/sms_verification/error.rs

@@ -18,6 +18,9 @@ pub enum SmsVerificationError {
     #[error("No active verification session for phone number")]
     NoActiveVerification,
 
+    #[error("Too many incorrect code attempts. Please request a new verification code.")]
+    MaxValidationAttemptsExceeded,
+
     #[error("Invalid phone number format. Must be in E.164 format (e.g., +30123456789)")]
     InvalidPhoneNumber,
 

src/sms_verification/http.rs

@@ -78,6 +78,7 @@ impl IntoResponse for SmsVerificationError {
             SmsVerificationError::Blocked => StatusCode::FORBIDDEN,
             SmsVerificationError::WeeklyLimitExceeded => StatusCode::TOO_MANY_REQUESTS,
             SmsVerificationError::AnnualLimitExceeded => StatusCode::TOO_MANY_REQUESTS,
+            SmsVerificationError::MaxValidationAttemptsExceeded => StatusCode::TOO_MANY_REQUESTS,
             SmsVerificationError::NoActiveVerification => StatusCode::UNPROCESSABLE_ENTITY,
             SmsVerificationError::InvalidPhoneNumber => StatusCode::UNPROCESSABLE_ENTITY,
             SmsVerificationError::RateLimited { retry_after } => {

src/sms_verification/repository.rs

@@ -38,6 +38,7 @@ pub struct SmsVerificationEntity {
     pub signup_code: Option<String>,
     pub status: VerificationStatus,
     pub failure_reason: Option<String>,
+    pub attempts: i32,
 }
 
 #[derive(Clone, Debug)]
@@ -211,6 +212,29 @@ impl SmsVerificationRepository {
         }
     }
 
+    /// Increment attempts for the active session and return the new count.
+    pub async fn increment_attempts(
+        executor: &mut UnifiedExecutor<'_>,
+        phone_number_hash: &str,
+    ) -> Result<i32, DbError> {
+        let update_statement = Query::update()
+            .table("sms_verifications")
+            .value("attempts", Expr::col("attempts").add(1))
+            .and_where(Expr::col("phone_number_hash").eq(phone_number_hash))
+            .and_where(Expr::col("status").eq(VerificationStatus::Pending.as_str()))
+            .returning(Query::returning().column("attempts"))
+            .to_owned();
+
+        let (query, values) = update_statement.build_sqlx(PostgresQueryBuilder);
+        let row = sqlx::query_with(&query, values)
+            .fetch_one(executor.get_con().await?)
+            .await
+            .map_err(DbError::from)?;
+
+        let attempts: i32 = row.try_get("attempts").map_err(DbError::from)?;
+        Ok(attempts)
+    }
+
     /// Verify an SMS by setting finalised_at, status, and signup_code
     pub async fn mark_verified(
         executor: &mut UnifiedExecutor<'_>,
@@ -317,6 +341,7 @@ impl SmsVerificationRepository {
                 "signup_code",
                 "status",
                 "failure_reason",
+                "attempts",
             ])
             .from("sms_verifications")
             .and_where(Expr::col("phone_number_hash").eq(hashed_phone.as_str()))
@@ -345,6 +370,7 @@ impl SmsVerificationRepository {
                 "signup_code",
                 "status",
                 "failure_reason",
+                "attempts",
             ])
             .from("sms_verifications")
             .and_where(Expr::col("prelude_id").eq(prelude_id))

src/sms_verification/service.rs

@@ -18,6 +18,7 @@ pub struct SmsVerificationService {
     hasher_argon2id: HasherArgon2id,
     max_verifications_per_week: u32,
     max_verifications_per_year: u32,
+    max_validation_attempts: u32,
     limit_whitelist: Vec<PhoneNumber>,
 }
 
@@ -27,6 +28,7 @@ impl SmsVerificationService {
         homeserver_admin_api: HomeserverAdminAPI,
         max_verifications_per_week: u32,
         max_verifications_per_year: u32,
+        max_validation_attempts: u32,
         limit_whitelist: Vec<PhoneNumber>,
     ) -> Self {
         if !limit_whitelist.is_empty() {
@@ -39,6 +41,7 @@ impl SmsVerificationService {
             hasher_argon2id: HasherArgon2id::new(),
             max_verifications_per_week,
             max_verifications_per_year,
+            max_validation_attempts,
             limit_whitelist,
         }
     }
@@ -166,6 +169,23 @@ impl SmsVerificationService {
             .await
             .map_err(|_| SmsVerificationError::NoActiveVerification)?;
 
+        let attempts =
+            SmsVerificationRepository::increment_attempts(&mut executor, &phone_number_hash)
+                .await?;
+        if attempts > self.max_validation_attempts as i32 {
+            // Mark as failed since they've exceeded the limit
+            if let Err(e) = SmsVerificationRepository::mark_all_pending_verification_as_failed(
+                &mut executor,
+                &phone_number_hash,
+                "max_validation_attempts_exceeded",
+            )
+            .await
+            {
+                tracing::error!("{}", e);
+            }
+            return Err(SmsVerificationError::MaxValidationAttemptsExceeded);
+        }
+
         let prelude_response = self
             .prelude_api
             .check_code(&request.phone_number, &request.code)
@@ -197,7 +217,7 @@ impl SmsVerificationService {
                 })
             }
             PreludeCheckCodeResponse::Failure { .. } => {
-                // Wrong code - don't mark as failed, allow retries
+                // Wrong code - don't mark as failed, allow retries (up to max_validation_attempts)
                 Ok(ValidateCodeResponse::Invalid)
             }
             PreludeCheckCodeResponse::ExpiredOrNotFound { .. } => {