diff --git a/backend/app/routers/auth.py b/backend/app/routers/auth.py
index db3092a..531d8ce 100644
--- a/backend/app/routers/auth.py
+++ b/backend/app/routers/auth.py
@@ -424,6 +424,7 @@ async def change_password(
         await _record_failed_login(db, current_user)
         raise HTTPException(status_code=401, detail="Invalid current password")
 
+    _failed_attempts.pop(client_ip, None)
     current_user.password_hash = hash_password(data.new_password)
     await db.commit()
 
diff --git a/frontend/nginx.conf b/frontend/nginx.conf
index a7d1a28..9fe9c9e 100644
--- a/frontend/nginx.conf
+++ b/frontend/nginx.conf
@@ -46,6 +46,18 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
     }
 
+    location /api/auth/totp-verify {
+        limit_req zone=auth_limit burst=5 nodelay;
+        limit_req_status 429;
+
+        proxy_pass http://backend:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
     location /api/auth/change-password {
         limit_req zone=auth_limit burst=5 nodelay;
         limit_req_status 429;