Symfony version(s) affected: 5.2.x

Description
The login rate limiting does not work for APIs/stateless firewalls as it considers every login attempt as consuming a rate limiting token, but stateless firewalls do login/authentication on every request. This essentially turns the login rate limiter into an API request rate limiter, which is not ideal.

The issue was introduced in https://github.com/symfony/symfony/pull/38308/files#diff-18e6fd84c34ab4a56b269deb50428549e18be52c7597d281752971e696f4bd4bL56-L63 by the removal of the rate limit reset() on login. However, re-introducing this is also not a great solution IMO as it leads to many writes.

Possible Solution

I see two possible solutions here:

• Rate limit every login attempt, then reset the limiter (or deduct one attempt at least) on successful login. This leads to writing to the rate limiter backend twice for every login, so twice per API request, which is not optimal I find.
• Check the rate limit on every login attempt, but only consume a rate limit token on authentication failure. This would mean for correctly-authenticated requests we only get one readonly call on the rate limiter backend, which seems more efficient.