Missing normalization before request path processing
When using rack-attack with a RoR app, developers expect the request path to be normalized. In particular, trailing slashes are stripped so a request path /login/ becomes /login by the time you're in ActionController. Since Rack::Attack runs before ActionDispatch, the request path is not yet normalized. This can cause throttles and denylists to not work as expected.