API needs rate-limiting #625
Description
There's no rate-limiting built into the API.
Right now it's possible to freely brute-force login, both with a known existing user (only brute-forcing the password) as well as a "clusterbomb" brute-force where both user and password is guessed.
It doesn't necessarily have to be implemented in the API since nginx can do it on an IP-basis and that may be enough.
But that has to be configured and used in any production environment.