Skip ratelimts for admin recovery code burns (#17766)

di · web-flow · commit f121046748f0 · 2025-03-12T18:20:17.000-04:00
diff --git a/tests/unit/admin/views/test_users.py b/tests/unit/admin/views/test_users.py
@@ -1477,12 +1477,15 @@ class TestUserBurnRecoveryCodes:
     def test_burns_recovery_codes(self, db_request, monkeypatch, user_service):
         user = UserFactory.create()
         codes = user_service.generate_recovery_codes(user.id)
+        user_service._check_ratelimits = pretend.call_recorder(
+            user_service._check_ratelimits
+        )
 
         # Burn one code in advance
         user.recovery_codes[0].burned = datetime.datetime.now(datetime.UTC)
 
         # Provide all the codes, plus one invalid code
-        db_request.POST["to_burn"] = f"{'\n'.join(codes)}\ninvalid"
+        db_request.POST["to_burn"] = "\n".join(codes) + "\ninvalid"
         db_request.route_path = pretend.call_recorder(lambda *a, **kw: "/foobar")
         db_request.session = pretend.stub(
             flash=pretend.call_recorder(lambda *a, **kw: None)
@@ -1501,6 +1504,7 @@ def test_burns_recovery_codes(self, db_request, monkeypatch, user_service):
         ]
         assert result.status_code == 303
         assert result.location == "/foobar"
+        assert user_service._check_ratelimits.calls == []
 
     def test_no_recovery_codes_provided(self, db_request, monkeypatch, user_service):
         user = UserFactory.create()
diff --git a/warehouse/accounts/services.py b/warehouse/accounts/services.py
@@ -606,13 +606,14 @@ def generate_recovery_codes(self, user_id):
 
         return recovery_codes
 
-    def check_recovery_code(self, user_id, code):
+    def check_recovery_code(self, user_id, code, skip_ratelimits=False):
         self._metrics.increment("warehouse.authentication.recovery_code.start")
 
-        self._check_ratelimits(
-            userid=user_id,
-            tags=["mechanism:check_recovery_code"],
-        )
+        if not skip_ratelimits:
+            self._check_ratelimits(
+                userid=user_id,
+                tags=["mechanism:check_recovery_code"],
+            )
 
         user = self.get_user(user_id)
         stored_recovery_code = self.get_recovery_code(user.id, code)
diff --git a/warehouse/admin/views/users.py b/warehouse/admin/views/users.py
@@ -619,7 +619,7 @@ def user_burn_recovery_codes(user, request):
 
         for code in codes:
             try:
-                user_service.check_recovery_code(user.id, code)
+                user_service.check_recovery_code(user.id, code, skip_ratelimits=True)
                 n_burned += 1
             except (BurnedRecoveryCode, InvalidRecoveryCode):
                 pass
