fix: check attempt count before OTP comparison to prevent bypass

Reject OTPs that have already reached max failed attempts before
comparing the code, closing a race window where a correct guess
could bypass brute-force protection.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/chat/[identifier]/otp/route.ts

@@ -311,6 +311,15 @@ export async function PUT(
 
     const { otp: storedOTP, attempts } = decodeOTPValue(storedValue)
 
+    if (attempts >= MAX_OTP_ATTEMPTS) {
+      await deleteOTP(email, deployment.id)
+      logger.warn(`[${requestId}] OTP already locked out for ${email}`)
+      return addCorsHeaders(
+        createErrorResponse('Too many failed attempts. Please request a new code.', 429),
+        request
+      )
+    }
+
     if (storedOTP !== otp) {
       const result = await incrementOTPAttempts(email, deployment.id, storedValue)
       if (result === 'locked') {