fix(#11090): remove password from rate limiter lookup keys

[YASHSHARMAOFFICIALLY]

Summary

• Remove the raw password from the set of keys used by the login rate limiter, preventing cross-account lockout when multiple users share the same password.
• Update tests to reflect the reduced key set (IP + username only).

Fixes #11090
Related to #10705

Context

The rate limiter in api/src/services/rate-limit.js uses multiple keys per request: IP, username, and password. When any single key exhausts its 10-attempt budget within 10 seconds, all subsequent requests matching that key are blocked.

Because the raw password is used as a key, all accounts sharing the same password share a rate limit bucket. An attacker can lock out every account with a given password by sending 10 failed login requests with any username and that password. This is especially relevant in CHT deployments where administrators provision devices for community health workers and password patterns may overlap.

The combination of IP + username is sufficient to prevent brute-force attacks against individual accounts.

Changes

api/src/services/rate-limit.js

• Removed req.body.password and basicAuth.password from getKeys().

api/tests/mocha/services/rate-limit.spec.js

• Updated isLimited tests: adjusted call counts and removed password key assertions.
• Updated consume tests: adjusted call counts and removed password key assertions.

Test plan

• All 7 rate-limit service tests pass.
• All 5 rate-limiter middleware tests pass.
• Rate limiting still works correctly by IP and username.