Discard session token after n failed attempts

[ejain]

Should have some protection against brute-forcing security codes, especially since TOKEN_LENGTH can be set to a low value like 4...

[CuriousLearner]

Thanks for the suggestion.

I would suggest a setting that controls the MIN_TOKEN_LENGTH. We may have another setting to discard the token after n failed attempts where n can be configured through another setting. If you'd like to work on this and raise a PR, I'll be happy to merge it.