feat: add custom rate limiting for login/signup flow

[S-MOHAMMED-ISMAIL]

Summary

Implemented custom rate limiting for authentication endpoints to provide additional protection against brute-force and excessive login/signup requests.

Closes #1851

---

Type of Change

• Bug fix
• New feature
• Documentation update
• Refactor / code cleanup

---

Changes Made

• Added rate limiting to authentication routes

• Applied middleware protection to:

  • /api/auth/signin
  • /api/auth/callback

• Reused the existing rate limiting infrastructure already used by other API endpoints

• Returns HTTP 429 Too Many Requests when limits are exceeded

• Includes Retry-After response headers

• Uses separate limits for authenticated and anonymous users

---

How to Test

1. Run the application locally
2. Attempt repeated requests to /api/auth/signin
3. Verify requests are allowed until the configured limit is reached
4. Confirm a 429 response is returned after exceeding the limit
5. Verify the Retry-After header is present in the response
6. Confirm normal authentication behavior remains unchanged below the limit

---

Screenshots (if UI change)

N/A

---

Checklist

• Linked issue in summary
• npm run lint passes locally
• No TypeScript errors introduced
• Self-reviewed the diff
• Added/updated tests if applicable

---

Additional Notes

This change brings login/signup security in line with other rate-limited endpoints in DevTrack and helps reduce the risk of brute-force authentication attempts.

[vercel]

@S-MOHAMMED-ISMAIL is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[S-MOHAMMED-ISMAIL]

Implemented the requested rate limiting changes for authentication routes and verified that all CI checks are passing. Looking forward to feedback. Thanks!