Investigate an alternative for `express-brute`

[na9da]

express-brute is now 8 years old, the version of its underscore dependency has a critical security warning. For now, we have put in place yarn resolution rules to force a safer version. However we could look for an alternative solution, some options include:

• forking express-brute
• investigate using https://www.npmjs.com/package/express-rate-limit

One thing to consider is some of the server config params share the same names as express-brute options. If we have to avoid a breaking change, then we have to manage that somehow.