Limit front-end login attempts

[pavlenex]

It's a good idea to have a way to limit brute-force login attempts on the front-end of BTCPay.

I'm sure many users or even admins won't set 2FA or if we implement U2F (as I suggested earlier in #53).

My suggestions :

• Limit the number of logins and lock account after few attempts for a certain time or require email verification
• Add google anti-spam "are you a robot" verification

[Kukks]

@bitcoinshirt BTCPayServer uses Asp.Net Identity Core internally which supports lockout. Pr is attached for nicolas to decide. :)

[pavlenex]

@Kukks Can you clarify how it will work?
A. Lock the account for x minutes after y attempts?
B. Lock the account entirely and require e-mail verification?

[Kukks]

It's not that elaborate @bitcoinshirt
The mechanism allows us to configure how many times a user can attempt to login with credentials before a locking cooldown period is enabled.
The default settings are:

• 5 minutes cooldown period
• 5 attempts to trigger lockdown