feat: add rate limiters for sending emails and login

[adrianboros]

Context

• fixes #1585
• fixes #1610

Changes

• add rate limiters for sending verify and forgot pass emails
• add rate limiters on login attempts

[adrianboros]

This rate limit implementation works as route middleware, which means we count the endpoint hit and NOT failed login attempts. We can hit the rate limit even with successful logins if we login/logout multiple times in a short amount of time.

Questions:

• should we set these rate limits as env variables to be easier to update?
• for login rate limit, should we count only failed attempts and not all route hits? in order to count just failed login attempts, we can move login route rate limit logic from a middleware to a service and use it in the authService.authorize function.

[lengyel-arpad85]

This rate limit implementation works as route middleware, which means we count the endpoint hit and NOT failed login attempts. We can hit the rate limit even with successful logins if we login/logout multiple times in a short amount of time.

Questions:

• should we set these rate limits as env variables to be easier to update?
• for login rate limit, should we count only failed attempts and not all route hits? in order to count just failed login attempts, we can move login route rate limit logic from a middleware to a service and use it in the authService.authorize function.

• yes I think having the rate limits in ENV variables is a good idea
• if we are trying to prevent brute force attacks on login then current approach of route middleware is ok, I saw that you allow 3 maxAttempts before the pause, so that is ok from me