security: add IP-based login throttling

[anonymoususer72041]

This PR adds a simple brute-force protection for the OpenCATS login by rate-limiting failed login attempts per IP address.

If an IP address has more than 10 failed login attempts within the last 10 minutes, further login attempts from that IP are blocked early (before any credential validation) and a generic error message is shown.

To prevent bypassing the IP throttle by trying random usernames, failed attempts for unknown usernames are now also written to user_login (with user_id = NULL and site_id = 0).

[anonymoususer72041]

The CI failures look like most scenarios end up hitting the login page because the test suite performs many "expected-failure" logins (e.g. DISABLED), which likely creates enough unsuccessful user_login entries from the same IP to trigger the lockout and then blocks subsequent valid logins in later steps.

@RussH would you prefer that I extend the lockout logic to be scoped by IP + user (and/or only count "wrong password" failures), so one user can’t effectively lock out the entire test runner IP?

Alternatively, we could keep the current IP-only behavior and instead clear user_login as part of the test setup to avoid accumulation across scenarios.

Which direction would you like me to take?

[RussH]

If we can get through the testing by clearing the variable at the start of the testing (& I assume we can clear it repeatedly perhaps after each test) lets do that, however we may well find that still doesn't accommodate the large nos of test logon. This seems the simplest approach?

[anonymoususer72041]

This is currently the simplest approach.

Another way could be using the currently unused CATS Test Mode via config.php for CI.