Add rate limiting on authentication endpoints

[itisnotyourenv]

Summary

Implement rate limiting on authentication endpoints to prevent brute force attacks and protect against credential stuffing attempts.

Acceptance Criteria

• Add rate limiting middleware for authentication endpoints (/auth/login, /auth/register, etc.)
• Configure appropriate rate limits (e.g., 5 attempts per minute per IP)
• Return proper HTTP status codes (429 Too Many Requests) when rate limit is exceeded
• Include retry-after headers in rate limit responses
• Add logging for rate limit violations
• Consider implementing progressive delays for repeated violations
• Add configuration options for rate limit thresholds
• Update API documentation to reflect rate limiting behavior

Security Benefits

• Prevents brute force password attacks
• Mitigates credential stuffing attempts
• Reduces load on authentication services
• Improves overall API security posture

Implementation Notes

• Consider using Redis or in-memory storage for rate limit tracking
• Implement rate limiting per IP address and potentially per user account
• Ensure rate limiting doesn't impact legitimate users
• Add proper error handling and user-friendly error messages

Priority

High - Security enhancement