Feature Request: IP Based Ratelimits
mr-karan opened this issue · comments
Currently the max_attempts
are limited to the id
of an OTP. I'm not sure if this is exactly out of scope of OTPGateway, but does it make sense to include an IP-Based Rate limits, especially since OTPGateway is meant to be a standalone server.
Sure, we could use NGINX/HAProxy or other proxies but that's one extra dependency for a perfectly standalone server app.
Thoughts? And if you think we can add this, I'd like to take it up.
Thanks!
max_attempts
on the request id
belongs to the OTP app's semantics. It's core business logic. IP (real? forwarded-for?), user-agent etc. would fall outside the purview of the app and is best orchestrated in a reverse proxy that's purpose built for things like that.