Rate Limiting with Redis + Increment Expiry

                  class SessionsController < ApplicationController
  def create
    limiter = RateLimiter.new
    key = "rl:login:ip:#{request.remote_ip}"

    unless limiter.allow?(key, limit: 20, period: 10.minutes)
      render status: :too_many_requests, json: { error: 'Try again later' }
      return
    end

    # authenticate...
  end
end