feat(auth): handle account lockout UI + show last login

[PierreBrisorgueil]

Context

The Node stack is adding account lockout and lastLoginAt tracking (see pierreb-devkit/Node#3217). The Vue stack needs to handle the new API responses.

Backend reference

See pierreb-devkit/Node#3217 for the full backend spec:

• After 5 failed login attempts → account locked for 30 min
• Locked account returns 423 Locked with message
• Successful login resets counter and updates lastLoginAt
• User object now includes lastLoginAt field

Vue changes needed

1. Lockout error handling on signin

When the signin API returns HTTP 423:

• Display a clear error message: "Account temporarily locked after too many failed attempts. Try again in X minutes."
• Disable the submit button with a countdown timer (if the API returns lockUntil)
• Do NOT reveal whether the account exists (same UX for 401 and 423 if security-conscious, but lockout is acceptable to show since the user already knows their email)

2. Failed attempt warning (optional)

If the API returns remaining attempts info (e.g. { remainingAttempts: 2 }):

• Show a warning: "2 attempts remaining before temporary lock"

3. Last login display

• The user object from /api/auth/token or /api/users/me now includes lastLoginAt
• Display in the user profile or account settings: "Last login: March 10, 2026 at 14:32"
• Optional: show in admin dashboard for user management

Auth store updates

• Handle 423 status in signin error handler
• Store lastLoginAt from user object
• Format with locale-aware date (use existing i18n/dayjs if available)