Love this feature, but if I understand the library correctly it seems like clean_expired_user_attempts needs to be refactored for this to work.

The way I read it, clean_expired_user_attempts deletes all AccessAttempts that are expired based on the current request's cooloff threshold, regardless of whether those attempts had different cooloffs.

This means if UserA has an attempt recorded with a 60 minute cooloff, and then UserB comes in 10 minutes later with a cooloff of 5 minutes, we'll delete "all AccessAttempts older than 5 minutes". UserA's AccessAttempt will be deleted even though it doesn't expire for another 50 minutes.

Am I understanding this limitation correctly? Thanks for the help!

Originally posted by @herg in #1222 (comment)