- Created RateLimitMiddleware class with 8 public methods
* isLimited() - check if limit exceeded
* incrementAttempt() - increment attempt counter
* getRemainingAttempts() - get remaining attempts
* getTimeRemaining() - get time remaining in window
* reset() - reset counter after success
* requireLimit() - check and die if exceeded
* getStatus() - get status info for monitoring
* Support for time-window based rate limiting
- Integrated rate limiting into critical endpoints:
* validate_login.php: 5 attempts per 900 seconds (15 minutes)
* send_reset_link.php: 3 attempts per 1800 seconds (30 minutes)
* Prevents brute force attacks and password reset abuse
* Still increments counter for non-existent emails (prevents enumeration)
- Integrated session regeneration on successful login:
* Google OAuth login (both new and existing users)
* Email/password login
* Uses AuthenticationService::regenerateSession()
* Prevents session fixation attacks
- Rate limit counters stored in PHP session
- Time-window based with 15-minute and 30-minute windows
- Graceful error messages with retry_after in JSON responses
- AJAX-aware error handling
