Add rate-limit of TOTP authentication attempts at controller level

[ClearlyClaire]

We already have IP and user-based rate-limits in our rack-attack config, but this adds a stricter per-user rate-limit at the controller level.

[renchap]

For anyone curious about this, there is already an IP-based rate-limit on this endpoint, enforced by rack-attack, but this adds a stricter per-user rate-limit.

This is only triggered once the used correctly used their password and are entering their 2FA, so it cant be used to lock out a specific user (unless you know their password, which should not happen).

[codecov]

Codecov Report

Attention: 3 lines in your changes are missing coverage. Please review.

Comparison is base (09f76c5) 84.86% compared to head (c3e165c) 85.15%.
Report is 12 commits behind head on main.

❗ Current head c3e165c differs from pull request most recent head e3828c3. Consider uploading reports for the commit e3828c3 to get more accurate results

Files	Patch %	Lines
...concerns/auth/two_factor_authentication_concern.rb	0.00%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #28801      +/-   ##
==========================================
+ Coverage   84.86%   85.15%   +0.28%     
==========================================
  Files        1038     1038              
  Lines       28169    28361     +192     
  Branches     4531     4590      +59     
==========================================
+ Hits        23906    24150     +244     
+ Misses       3103     3047      -56     
- Partials     1160     1164       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.