Rate limits should be per-method, not per-resource string.

config/dev/ratelimit.auth.json

@@ -1,16 +1,16 @@
 {
     "": {"seconds": 60, "max": 30, "_comment": "Global ratelimit."},
 
-    "/v1/sec/doot": 
+    "GET:/v1/sec/doot": 
         {"seconds": 5, "max": 3, "_comment": "One DPS (Doot Per Second) for monitoring?"},
 
-    "/v1/sec/2fa-doot": 
+    "GET:/v1/sec/2fa-doot": 
         {"seconds": 10, "max": 1, "_comment": "2FA doot probably doesn't need much usage at all, mainly exists as a proof of concept."},
 
-    "/v1/adm/doot": 
+    "GET:/v1/adm/doot": 
         {"seconds": 5, "max": 3, "_comment": "One DPS (Doot Per Second) for monitoring?"},
 
-    "/v1/adm/2fa-doot": 
+    "GET:/v1/adm/2fa-doot": 
         {"seconds": 10, "max": 1, "_comment": "2FA doot probably doesn't need much usage at all, mainly exists as a proof of concept."}
     
     

config/dev/ratelimit.unauth.json

@@ -2,18 +2,18 @@
     "": 
         {"seconds": 60, "max": 30, "_comment": "Global unauthenticated ratelimit."},
 
-    "/v1/doot": 
+    "GET:/v1/doot": 
         {"seconds": 5, "max": 5, "_comment": "Unauthenticated DOOT for server monitoring."},
 
-    "/v1/login": 
+    "POST:/v1/login": 
         {"seconds": 60, "max": 3, "_comment": "Prevent bruteforce attacks on Login."},
 
-    "/v1/admin": 
+    "POST:/v1/admin": 
         {"seconds": 60, "max": 1, "_comment": "Prevent bruteforce attacks on Admin Login."},
 
-    "/v1/signup": 
+    "POST:/v1/signup": 
         {"seconds": 1800, "max": 1, "_comment": "Prevent spam account creation."},
 
-    "/v1/forgot": 
+    "POST:/v1/forgot": 
         {"seconds": 60, "max": 1, "_comment": "Slow down 'forgot password' enumeration/spam."}
 }