Zero rating behaviour in MemoryBackend, blocking abusive clients as part of rate limiting

[boamaod]

During some experimenting with settings it appeared that creating a Rule(hour=0, group="blocked", zone="sensitive_api") did not block the client immediately, but allowed accessing the zone once before the block took hold. This seems to be because of how MemoryBackend is implemented presuming that minimum limit amount is 1 and after setting the new limit counter for the client postponing the validity check to next round of access. This makes limits 0 and 1 equivalent in practise.

Setting zero rate seems to be supported in implementation of RedisBackend though. If I am correct about differences in implementations I suppose unifying the behaviour would make sense?

In a broader perspective, permanently blocking users might not be part of rate limiting, which is all about 429 and not so much about 401 or 403. However in some cases it is not meaningful to consider blocking independently from rate limiting, duplicating extra layer of URL patters and zones, especially if there is no separate authentication mechanism in place and blocking happens in scope of ensuring sanity of API exploitation, for example, blocking because repeatedly failing to conform to limits, concurrently exceeding multiple limits, spamming with repeated or malformed content etc.

I think besides 0=1 issue above, zero rating works as expected in current implementation, but there might be some additional questions of Retry-After giving meaningful instructions, for example in case of Rule(second=0).

[abersheeran]

Very interesting question. I kind of want to add a numeric check to Rule - only positive integers are allowed.