This PR adds a new properties to users: allowed_ip_range. If someone
tires to log into that user from outside the IP range, the login will be
rejected. There are quite a few usecases for this:
1. Companies who want to harden their security by restricting login from
their on-site locations.
2. Only allow SSH/kubectl access from the CI (so if someone manages
extract the warpgate access token from the CI, they still can't use it)
3. A very niche usecase that we need it for: Running student exams
through warpgate, where students should only be logging in from the exam
hall.

The main reason to have this over for example firewall-level tightening
is that it can be configured per user. So for us for example we don't
want students to log in outside the exam hall, but we still want to be
able to get in ourselves outside the exam PCs.

I've paid special attention to making sure this works nicely with SSO
too. I also tried to get the SSH session to print out a message
explaining why the auth was rejected, but I didn't manage to do that, so
it just says "password rejected" when the SSH session is rejected due to
the IP restriction.

<img width="871" height="278" alt="Screenshot From 2026-04-08 16-02-14"
src="https://github.com/user-attachments/assets/b5669c58-60ae-4f71-9b70-5742ff59fb14"
/>

<img width="692" height="681" alt="Screenshot From 2026-04-08 16-02-44"
src="https://github.com/user-attachments/assets/b23a47b3-ceb4-4251-ae16-0aeb8b04460d"
/>


Closes #1545

---------

Co-authored-by: Eugene <inbox@null.page>