Hey @jasonleow,
The auth routes:
/connect/*/auth/local/auth/local/register/auth/forgot-password/auth/reset-password
Have the policy plugins::users-permissions.ratelimit (you linked).
Looking at the config of koa2-ratelimit middleware:
- interval: Time Type - how long should records of requests be kept in memory. Defaults to
60000(1 minute).
…- max: max number of connections during
intervalmilliseconds before sending a429response code. Defaults to5. Set to0to disable.
It indeed is max 5 connections during the interval of 1 * 60 * 1000 = 60 seconds per IP per path.