Request Rate Limiting Middleware for API Protection

> Labels: middleware, security, performance, high-priority

### Description:
Implement intelligent rate limiting middleware to protect the API from abuse, DDoS attacks, and excessive requests from single sources.

### Requirements:

Limit requests per IP address within time windows (e.g., 100 requests per 15 minutes)
Support different rate limits for different endpoint types:

- Strict limits for authentication endpoints (5 login attempts per 15 min)
- Moderate limits for puzzle submission (30 per hour)
- Generous limits for read-only endpoints (300 per hour)
- Special limits for admin endpoints (1000 per hour)

- Use Redis for distributed rate limit tracking across server instances
- Return 429 Too Many Requests with retry-after header
- Support rate limit exemptions for whitelisted IPs (admin access)
- Track rate limits by user ID for authenticated requests (more accurate)
- Provide rate limit info in response headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset)
- Support burst allowance for temporary spikes
- Log rate limit violations for security monitoring

### Acceptance Criteria:

- [ ] Rate limits enforced across all specified endpoint types
- [ ] Redis used for distributed state management
- [ ] 429 status code returned when limit exceeded
- [ ] Retry-After header indicates when user can retry
- [ ] Response headers show current rate limit status
- [ ] Authenticated users tracked by userId, not IP (more accurate)
- [ ] Whitelisted IPs bypass rate limiting
- [ ] Rate limit configuration easily adjustable via environment variables
- [ ] No legitimate users blocked under normal usage patterns
- [ ] System handles edge cases (Redis connection failure, clock skew)

### Rate Limit Tiers:

- Authentication routes: 5 requests / 15 minutes
- Puzzle submission: 30 requests / hour per user
- Daily quest generation: 2 requests / day per user
- Read-only endpoints: 300 requests / hour
- Admin endpoints: 1000 requests / hour
- Public landing page: 1000 requests / hour

### Headers to Include:

- X-RateLimit-Limit: Maximum requests allowed
- X-RateLimit-Remaining: Requests remaining in window
- X-RateLimit-Reset: Timestamp when limit resets
- Retry-After: Seconds until user can retry (when limited)

NOTE: ALL SHOULD BE IMPLEMENTED IN THE MIDDLEWARE FOLDER/REPO

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Request Rate Limiting Middleware for API Protection #313

Description:

Requirements:

Acceptance Criteria:

Rate Limit Tiers:

Headers to Include:

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Request Rate Limiting Middleware for API Protection #313

Description

Description:

Requirements:

Acceptance Criteria:

Rate Limit Tiers:

Headers to Include:

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions