How to implement IP based rate-limit in Credentials provider (or any other)

[Baterka]

I have trouble with implementing IP rate limitation for Credentials provider (https://next-auth.js.org/providers/credentials). It is applicable to any other provider also.

I cannot find a way to retrieve the Request object in authorize method to implement such a system.

My app is getting a ton of false attempts even I am using ReCAPTCHA so I want to mitigate this with an IP-based rate limiter.

[balazsorban44]

I think you should implement this at a higher level, not in next-auth. Your entire application could be hosted somewhere that blocks/rates certain IPs from bombarding it.