check debugger timeout consistently (#3020)

davidism · web-flow · commit 5dceab4c2a39 · 2025-11-26T17:15:43.000-08:00
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -5,6 +5,8 @@ Version 3.1.4
 
 Unreleased
 
+-   The debugger pin fails after 10 attempts instead of 11. :pr:`3020`
+
 
 Version 3.1.3
 -------------
diff --git a/src/werkzeug/debug/__init__.py b/src/werkzeug/debug/__init__.py
@@ -441,6 +441,11 @@ def check_pin_trust(self, environ: WSGIEnvironment) -> bool | None:
         """
         if self.pin is None:
             return True
+
+        # If we failed too many times, then we're locked out.
+        if self._failed_pin_auth.value >= 10:
+            return False
+
         val = parse_cookie(environ).get(self.pin_cookie_name)
         if not val or "|" not in val:
             return False
@@ -490,7 +495,7 @@ def pin_auth(self, request: Request) -> Response:
             auth = True
 
         # If we failed too many times, then we're locked out.
-        elif self._failed_pin_auth.value > 10:
+        elif self._failed_pin_auth.value >= 10:
             exhausted = True
 
         # Otherwise go through pin based authentication
