From 8e01bcac7c1a8db7de1bb334bc7d972a357d99d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Garc=C3=ADa?=
 <dani-garcia@users.noreply.github.com>
Date: Wed, 29 Oct 2025 21:30:12 +0100
Subject: [PATCH] Don't delete token when tracking attempts

---
 src/api/core/two_factor/protected_actions.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/api/core/two_factor/protected_actions.rs b/src/api/core/two_factor/protected_actions.rs
index 04c273ef..800a6cf4 100644
--- a/src/api/core/two_factor/protected_actions.rs
+++ b/src/api/core/two_factor/protected_actions.rs
@@ -126,9 +126,9 @@ pub async fn validate_protected_action_otp(
     pa_data.add_attempt();
     pa.data = pa_data.to_json();
 
-    // Delete the token after x attempts if it has been used too many times
+    // Fail after x attempts if the token has been used too many times.
+    // Don't delete it, as we use it to keep track of attempts.
     if pa_data.attempts >= CONFIG.email_attempts_limit() {
-        pa.delete(conn).await?;
         err!("Token has expired")
     }