rate limiter probably not picking up the right IP address

reading the rate limiter docs:

https://django-ratelimit.readthedocs.io/en/stable/security.html

it seems to me there's a problem with the rate limiter because don't actually do any of the mitigations suggested there to pick up the right IP address of the client.

@stephen could you double-check we're actually using the "real" ip addresses of clients in the rate limiter, like in the database or something?

one solution would be to shift the get_client_ip function into a "middleware" to properly populate the REMOTE_ADDR variable:

https://django-ratelimit.readthedocs.io/en/stable/security.html#middleware