issue2550949: Rate limit password guesses/login attempts. Generic rate limit mechanism added. Deployed for web page logins. Default is 3 login attempts/minute for a user. After which one login attempt every 20 seconds can be done. Uses gcra algorithm so all I need to store is a username and timestamp in the one time key database. This does mean I don't have a list of all failed login attempts as part of the rate limiter. Set up config setting as well so admin can tune the rate. Maybe 1 every 10 seconds is ok at a site with poor typists who need 6 attempts to get the password right 8-). The gcra method can also be used to limit the rest and xmlrpc interfaces if needed. The mechanism I added also supplies a status method that calculates the expected values for http headers returned as part of rate limiting. Also tests added to test all code paths I hope.

--- a/CHANGES.txt	Sun Apr 28 18:44:05 2019 -0400
+++ b/CHANGES.txt	Sat May 11 17:24:58 2019 -0400
@@ -78,6 +78,10 @@
   nosymessage before it gets sent. See issue:
   https://issues.roundup-tracker.org/issue2551018 for example
   nosyreaction and generated email. (Tom Ekberg (tekberg))
+- issue2550949: Rate limit password guesses/login attempts.  Rate
+  limit mechanism added for web page logins. Default is 3 login
+  attempts/minute for a user. After which one login attempt every 20
+  seconds can be done. (John Rouillard)
 
 Fixed: