2FA recovery codes are rejected by form validation

Summary

The form validation (at least a HTML pattern attribute, potentially also JS or other validation too) on the 2nd factor login page (https://gitlab.com/users/sign_in) rejects recovery codes. To log into an account using 2FA with a recovery code I had to disable JS and manually edit the page HTML to remove the pattern and inputmode attributes on the code field (input#user_otp_attempt).

Steps to reproduce

1. Enable 2FA
2. Check you have your recovery codes
3. Log out
4. Start the login flow (enter username/pass and proceed to the second stage).
5. Enter a recovery code into the field where you would normally enter the 6-digit code from your authenticator.

What is the current bug behavior?

Input of recovery code is rejected client-side.

What is the expected correct behavior?

Input of recovery code should be accepted.

Output of checks

This bug happens on GitLab.com

Possible fixes

Remove the pattern attribute from the input#user_otp_attempt in the 2nd factor form page, or create a more sophisticated validator.