Why are dynamic limits not taken into account when in middleware ?

[JBocage]

I am currently working with the slowapi package, trying to setup some dynamic limits that depend on the headers of the incoming requests. (Concretely, when a request with the proper header is there, I want to apply a very high limit instead of the usual one.)

So I tried to provide a list of callables to the default_limits argument in the constructor of the Limiter object. (see snippet below)

# my_code.py

def get_headers(key) -> str:
    # debug_print_red_on_white("Request headers:", key)
    return "60/minute"


limiter = Limiter(
    key_func=custom_get_ipaddr,
    default_limits=[get_headers],
    storage_uri=f"mongodb+srv://{conf['MONGODB_USER']}:{conf['MONGODB_PASSWORD']}@{conf['MONGODB_INSTANCE_DOMAIN']}",
)

app.state.limiter = limiter

Turned out this broke the whole thing so I dug down in the source code to find out why. And I finally found out the break came from the LimitGroup.__iter__ method, in the case there was a limite that was callable AND had a key argument. (see code below)

# slowapi/wrappers.py

if callable(self.__limit_provider):
    if "key" in inspect.signature(self.__limit_provider).parameters.keys():
        assert (
            "request" in inspect.signature(self.key_function).parameters.keys()
        ), f"Limit provider function {self.key_function.__name__} needs a `request` argument"
        if self.request is None:
            raise Exception("`request` object can't be None")  # CODE IS BREAKING HERE
        limit_raw = self.__limit_provider(self.key_function(self.request))
    else:
        limit_raw = self.__limit_provider()

So I dug more, and I found out why self.request was None at that time.
I seems the LimitGroup.request is only set by the with_request method (see below)

# slowapi/wrappers.py

def with_request(self, request):
    self.request = request
    return self

And this one is only called if the in_middleware argument of the Limiter._check_request_limit is True.

# slowapi/extension.py

    if not in_middleware:
    limits = (
        self._route_limits[endpoint_func_name]
        if endpoint_func_name in self._route_limits
        else []
    )
    dynamic_limits = []
    if endpoint_func_name in self._dynamic_route_limits:
        for lim in self._dynamic_route_limits[endpoint_func_name]:
            try:
                dynamic_limits.extend(list(lim.with_request(request)))  # HERE !
            except ValueError as e:
                self.logger.error(
                    "failed to load ratelimit for view function %s (%s)",
                    endpoint_func_name,
                    e,
                )

So I got two questions:

• If I understood properly until this point, what reason lies behind this?
• Is there any way of applying a dynamic rate limit using this default_limits argument AND adding the limiter in the app's middleware?