Is there a way to clear the ratelimit for a user ?

[aswathikm03]

Requirement - If a user is rate-limited due to using incorrect credentials and user resets/changes password, the rate limit for the user needs to be reset.

Is there a way to get the cache key or clear the rate limit for this user ?

[jsocol]

That is definitely a challenge with account lockout-style ratelimiting. This is actually the motivation for providing the is_ratelimited method: so that more control is possible. It might be a better UX to be logged in after the password reset, or to use a captcha or other “soft” blocking mechanism with a “username” key that doesn’t produce a DOS vector.

I do think adding reset functionality is a useful feature, independently, because it helps give developers more tools to build custom logic. In this specific case, there may be options that are preferable for other reasons

[aswathikm03]

As I understand, is_ratelimited method tells you whether the user is ratelimited or not. What we are looking for is, a way to unblock the same user from being rate-limited on the next attempt.

Change of user password could log you in, because you have to be logged in to change your password. But, reset of user password allowing the user to be logged in is not what we are looking for.

This could be one of the scenarios for removing a rate-limit on the user. I am not sure if there could be other scenarios for removing a ratelimit on the user, there could be a case where a genuine user is ratelimited and they reach out to customer support to unblock themselves.