Security: Rate limit login attempts

[wistfulvariable]

Currently there's no rate limiting on the login endpoint. An attacker could brute-force passwords.\n\nProposed solution:\n- Max 5 attempts per IP per 15 minutes\n- Exponential backoff after 3 failures\n- Account lockout after 10 consecutive failures\n- Alert admin on lockout

[wistfulvariable]

Agreed this is high priority. I'd suggest using a sliding window rate limiter with Redis. The token bucket approach would also work but is more complex to implement.

[github-actions]

Rate limiting implementation PR is ready for review. Using sliding window with in-memory store (Redis optional). See PR #6.

[github-actions]

Rate limiting implementation PR is ready for review. Using sliding window with in-memory store (Redis optional). See PR #6.

[github-actions]

Rate limiting implementation PR is ready for review. Using sliding window with in-memory store (Redis optional). See PR #6.