LG-14078: Rate-limit backup code attempts based on IP+user ID

[aduth]

🎫 Ticket

LG-14078

🛠 Summary of changes

Adds additional rate-limiting to the backup code sign-in MFA submission to limit attempts based on a combination of user and IP address.

Related: #10982

📜 Testing Plan

It will be helpful to adjust local configuration to simplify testing, e.g.

backup_code_user_id_per_ip_attempt_window_exponential_factor: 4
backup_code_user_id_per_ip_attempt_window_in_minutes: 60
backup_code_user_id_per_ip_attempt_window_max_minutes: 1_440
backup_code_user_id_per_ip_max_attempts: 4

With this configuration, it's expected that the lockout would max at 24 hours, which would quickly be hit with an exponential factor of 4:

(1..4).to_a.map { |i| [i, (4 ** (i - 1)).hours] }
# [[1, 1 hour], [2, 4 hours], [3, 16 hours], [4, 64 hours]]

Throughout testing, you can reset your local throttle cache by flushing the Redis store, using rails console:

REDIS_THROTTLE_POOL.with { |client| client.flushdb }

Verify that you cannot make any backup code submissions past your 4th, and you're locked out for 24 hours:

1. Prerequisite: Have an account with backup codes. It doesn't matter if you know what they are.
2. Go to http://localhost:3000
3. Sign in
4. If not prompted to MFA, click "Forget all browsers" from account dashboard, confirm, sign out, then start again
5. When prompted for MFA, if not prompted for backup code, click "Choose another authentication method" and select backup codes
6. When prompted for backup code, enter an incorrect code 4 times (if using the configuration above)
7. See error message "You tried too many time, please try again in [~24 hours]."

👀 Screenshots

[kevinsmaster5]

Rate limit is working on local.
LGTM