"""
Simple in-memory rate limiter for login (industry standard: limit attempts per IP).
For production at scale, use Redis.
"""
import time
from collections import defaultdict
from threading import Lock

# (ip -> list of timestamps of attempts in the window)
_attempts: dict[str, list[float]] = defaultdict(list)
_lock = Lock()


def check_rate_limit(identifier: str, max_per_minute: int = 10) -> bool:
    """
    Return True if the request is allowed, False if rate limited.
    identifier: typically client IP or username+IP.
    """
    now = time.monotonic()
    window_start = now - 60.0  # 1 minute
    with _lock:
        _attempts[identifier] = [t for t in _attempts[identifier] if t > window_start]
        if len(_attempts[identifier]) >= max_per_minute:
            return False
        _attempts[identifier].append(now)
    return True