If i’m correct from the top of my head that would be:
LOGIN_RATELIMIT_SECONDS=300
LOGIN_RATELIMIT_MAX_BURST=10 And i set 10 here, but keep in mind that since you use 2FA, which causes the clients to call that endpoint a second time within those 5 minutes.
Also note, we do this for every attempt, not only failed logins, because someone could also try to use invalid logins or try multiple etc…
So, this does mean that if you login from the same IP on 5 different devices which all need to enter a 2FA within 5 minutes, that after that you can’t login anymore, and need to wait for 5 minutes to try again.