config: defaults for account opertion rate-limit

[slint]

Do we want to have a "sane" default for:

• ACCOUNTS_FORGOT_PASSWORD_EMAIL_RATELIMIT
• ACCOUNTS_LOGIN_RATELIMIT
• ACCOUNTS_SEND_CONFIRMATION_RATELIMIT

Context

We're not sure if Flask-Limiter is enabled by default in all instances... In invenio-app we always initialize the extension, but not sure if there's another config flag that actually "enables" it.

We wanted to go around this assumption by not configuring any of the limits here. This is something we could do e.g. in invenio-app-rdm though where we have already configured e.g. Redis for the rate-limiting storage.

Originally posted by @ntarocco in #544 (comment)

[tmorrell]

I believe flask-limiter is enabled by default, since we had to manage the rates right when we started migrating. It's the RATELIMIT_ENABLED variable .... but at the moment I can't find where the default is set.

I think we should set sensible defaults, since it's less things to explain to people when setting up the repo. They can always adjust them if they run into issues.

[slint]

For reference for Zenodo we set something like this:

# Auth operations rate limits
ACCOUNTS_LOGIN_RATELIMIT = "5 per minute; 30 per day"
ACCOUNTS_FORGOT_PASSWORD_EMAIL_RATELIMIT = "3 per minute; 10 per day"
ACCOUNTS_SEND_CONFIRMATION_RATELIMIT = "3 per minute; 10 per day"

Basically, login allows 30 per day in case someone fat-fingered their password a few times. For the rest it's also a matter of allowing users to retry in case the service itself for some reason fails to send the email.