Build Account Lockout Functionality

[devondragon]

Add functionality to allow for an easily configurable anti-brute force mechanism.

Track failed logins by account and by IP, and setup thresholds for locking the account and requiring either email or 2FA validation or admin unlock.

[devondragon]

Thinking this through there should probably be two separate mechanisms here:

1. An IP based system for blocking general brute force attacks. For now I'm thinking this should be an in-memory based counter versus a database backed counter. The downside is that if you have a large fleet of app servers you could process more requests than desirable before blocking the IP, however the upside is dodging a significant performance hit.
2. A login based system, to prevent more targeted attacks. This should probably be in the DB and a counter on the user profile.

[devondragon]

Note: I apparently laid some ground work for mechanism 1 (above) 6 months ago in the LoginAttemptService class. I will expand on that.

[create-issue-branch[bot]]

Branch issue-29-Build-Account-Lockout-Functionality created!

[devondragon]

Tracking the user IP through the authentication event system requires some custom work here. I hope other people find this useful:)

[devondragon]

Adding IP info into the auth event for success is doable, but doing it for failure events is much harder/impossible due to all the private methods and variables in the DefaultAuthenticationEventPublisher. So I think this ticket will ONLY be about item number 2 in the first comment.

I will add a separate ticket to look at IP based resource rate limiting as a whole feature, not specific to the Authentication system. #57

[devondragon]

Done and merged in!