adjusted flaky test

.github/SECURITY.md

@@ -77,7 +77,7 @@ If someone is able to tamper with the OAuth2 responses then the entire OAuth2 fl
 
 This is a common and usually valid report but there is no easy solution without confusing and degrading the users experience.
 
-Some endpoints, like the user create/register, can be used for username or emails enumeration based on various response heuristics - timing, specific error messages, etc.
+Some endpoints, like the user create/register, can be used for usernames or emails enumeration based on various response heuristics - timing, specific error messages, etc.
 
 In many places where applicable we've tried to minimize the impact by using constant time checks, returning non-descriptive error messages, applying an internal rate limit for some operations, etc. but it is not bulletproof and if somebody wants to find out if a user is registered they will be able to do it one way or another.
 

apis/middlewares_rate_limit_test.go

@@ -86,8 +86,8 @@ func TestDefaultRateLimitMiddleware(t *testing.T) {
 
 		{"/rate/a", 0, false, 200},
 		{"/rate/a", 800, false, 200}, // (fixed window check) wait enough to ensure that it can't fit more than 2 requests in 1s
-		{"/rate/a", 500, false, 200},
-		{"/rate/a", 800, false, 200},
+		{"/rate/a", 600, false, 200},
+		{"/rate/a", 850, false, 200},
 		{"/rate/a", 0, false, 200},
 		{"/rate/a", 0, false, 429},
 		{"/rate/a", 0, false, 429},