Implement rate limiting for st2auth /tokens API endpoint (aka authenticate endpoint)

[Kami]

We should implement rate limiting on per user basis on the st2auth authenticate API endpoint.

There should be no need for single user to authenticate more than some reasonable amount of times in a short time frame (e.g. 10 in 60 seconds).

Authenticating more than some reasonable amount of times could put unnecessary stress on the upstream authentication backend server in some situations (e.g. when LDAP backend is used).

[arm4b]

I hope this rate-limiting would be switched off by default and can be enabled on only by those who really need it. Otherwise when enforced it can only bring much more confusion, rather than really help.

[Kami]

Yeah I also need to add that this could simply be a documentation for recommended configuration change - aka rate limiting performed by the HTTP server in-front of StackStorm (nginx in the default installation).

[arm4b]

Agree, documenting nginx-based rate-limiting sounds like the best performing and easy enough solution where user has some good options to control.

[stale[bot]]

Thanks for contributing to this issue. As it has been 90 days since the last activity, we are automatically marking is as stale. If this issue is not relevant or applicable anymore (problem has been fixed in a new version or similar), please close the issue or let us know so we can close it. On the contrary, if the issue is still relevant, there is nothing you need to do, but if you have any additional details or context which would help us when working on this issue, please include it as a comment to this issue.

[nzlosh]

Reference: https://www.nginx.com/blog/rate-limiting-nginx/