LG-13689: Rate-limit sign-in attempts based on IP+user ID

[aduth]

🎫 Ticket

LG-13689

🛠 Summary of changes

Adds additional rate-limiting to the sign-in page to limit attempts based on a combination of user and IP address.

In doing so, it enhances RateLimiter class to support exponentially-scaling rate-limit expirations, including maximum period.

📜 Testing Plan

It will be helpful to adjust local configuration to simplify testing, e.g.

sign_in_user_id_per_ip_attempt_window_exponential_factor: 4
sign_in_user_id_per_ip_attempt_window_in_minutes: 60
sign_in_user_id_per_ip_attempt_window_max_minutes: 1_440
sign_in_user_id_per_ip_max_attempts: 4

With this configuration, it's expected that the lockout would max at 24 hours, which would quickly be hit with an exponential factor of 4:

(1..4).to_a.map { |i| [i, (4 ** (i - 1)).hours] }
# [[1, 1 hour], [2, 4 hours], [3, 16 hours], [4, 64 hours]]

Throughout testing, you can reset your local throttle cache by flushing the Redis store, using rails console:

REDIS_THROTTLE_POOL.with { |client| client.flushdb }

It's also recommended to use a fresh private browsing window to avoid conflicts with max_bad_passwords blocking, or set the configuration for that to a high value:

development:
  max_bad_passwords: 10_000

Verify that you cannot make any attempts past your 4th, and you're locked out for 24 hours:

1. Go to http://localhost:3000
2. Enter a username and password incorrectly 5 times
3. See error message "You have exceeded the maximum sign in attempts. You must wait [~24 hours] before trying again."

👀 Screenshot

[kevinsmaster5]

better labeling than "locked out" imo

[kevinsmaster5]

LGTM. Tested locally and confirm expected outcome.