Currently the max_attempts are limited to the id of an OTP. I'm not sure if this is exactly out of scope of OTPGateway, but does it make sense to include an IP-Based Rate limits, especially since OTPGateway is meant to be a standalone server.

Sure, we could use NGINX/HAProxy or other proxies but that's one extra dependency for a perfectly standalone server app.

Thoughts? And if you think we can add this, I'd like to take it up.

Thanks!

max_attempts on the request id belongs to the OTP app's semantics. It's core business logic. IP (real? forwarded-for?), user-agent etc. would fall outside the purview of the app and is best orchestrated in a reverse proxy that's purpose built for things like that.