Lockdown system does not properly report a lockdown event in the case where the requests lapse multiple quantized windows

[nullstyle]

[nullstyle]

This causes intermittent failures on the "locks a user out after the configured number of failed attempts" test

[nullstyle]

notes for future self:

This problem occurs because we only consider the current time window's number of failed login attempts to decide whether the lockdown has been initiated with this request.

Instead, I should probably redesign the storage system around redis sorted sets... performance won't be O(1), but it should be very fast. Using sorted sets might trigger a pathological case under a sustained DOS attack from a single ip, so I should investigate and test.