From 8de1915e31d080a6e2a9bf1ff6532600cce758ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Garc=C3=ADa?=
 <dani-garcia@users.noreply.github.com>
Date: Wed, 17 Sep 2025 19:57:33 +0200
Subject: [PATCH] Match usage on two factor

---
 src/api/core/two_factor/protected_actions.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/api/core/two_factor/protected_actions.rs b/src/api/core/two_factor/protected_actions.rs
index 0278ab9b..04ab08f5 100644
--- a/src/api/core/two_factor/protected_actions.rs
+++ b/src/api/core/two_factor/protected_actions.rs
@@ -127,7 +127,7 @@ pub async fn validate_protected_action_otp(
     pa.data = pa_data.to_json();
 
     // Delete the token after x attempts if it has been used too many times
-    if pa_data.attempts > CONFIG.email_attempts_limit() {
+    if pa_data.attempts >= CONFIG.email_attempts_limit() {
         pa.delete(conn).await?;
         err!("Token has expired")
     }