From 8db043a645bcaebae8b6a124f604c0574e178ce2 Mon Sep 17 00:00:00 2001
From: Graeme Robinson <graeme@grobinson.me>
Date: Wed, 22 Jan 2025 18:43:54 +0000
Subject: [PATCH 1/3] 10 incorrect pins lock debugger

Behaviour used to be when 11 incorrect pins were entered, the debugger would be locked. I assume was an off-by-one mistake and it was intended to be 10. This change causes teh debugger to become locked when an incorrect pin is entered 10 times.
---
 src/werkzeug/debug/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/werkzeug/debug/__init__.py b/src/werkzeug/debug/__init__.py
index 0c4cabd89..c25b34d44 100644
--- a/src/werkzeug/debug/__init__.py
+++ b/src/werkzeug/debug/__init__.py
@@ -487,7 +487,7 @@ def pin_auth(self, request: Request) -> Response:
             auth = True
 
         # If we failed too many times, then we're locked out.
-        elif self._failed_pin_auth.value > 10:
+        elif self._failed_pin_auth.value >= 10:
             exhausted = True
 
         # Otherwise go through pin based authentication

From 85ffb8488d824f681a010e7a5c2e3b59679dd07e Mon Sep 17 00:00:00 2001
From: Graeme Robinson <graeme@grobinson.me>
Date: Thu, 23 Jan 2025 10:25:35 +0000
Subject: [PATCH 2/3] Reject debug cookie if pin exhausted

If the debugger was locked because too many failed authentications had occurred, it was still possible to authenticate using a cookie.

This change rejects authentication even using a cookie when too many pin-based authentications have occurred.
---
 src/werkzeug/debug/__init__.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/werkzeug/debug/__init__.py b/src/werkzeug/debug/__init__.py
index c25b34d44..8c115ee38 100644
--- a/src/werkzeug/debug/__init__.py
+++ b/src/werkzeug/debug/__init__.py
@@ -438,6 +438,11 @@ def check_pin_trust(self, environ: WSGIEnvironment) -> bool | None:
         """
         if self.pin is None:
             return True
+
+         # If we failed too many times, then we're locked out.
+        if self._failed_pin_auth.value >= 10:
+            return False
+
         val = parse_cookie(environ).get(self.pin_cookie_name)
         if not val or "|" not in val:
             return False

From 7703c2b0f6f813d4e0180fecb4c4632a6955efc1 Mon Sep 17 00:00:00 2001
From: "pre-commit-ci-lite[bot]"
 <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com>
Date: Thu, 23 Jan 2025 10:46:37 +0000
Subject: [PATCH 3/3] [pre-commit.ci lite] apply automatic fixes

---
 src/werkzeug/debug/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/werkzeug/debug/__init__.py b/src/werkzeug/debug/__init__.py
index 8c115ee38..444424eb0 100644
--- a/src/werkzeug/debug/__init__.py
+++ b/src/werkzeug/debug/__init__.py
@@ -439,7 +439,7 @@ def check_pin_trust(self, environ: WSGIEnvironment) -> bool | None:
         if self.pin is None:
             return True
 
-         # If we failed too many times, then we're locked out.
+        # If we failed too many times, then we're locked out.
         if self._failed_pin_auth.value >= 10:
             return False