Add per-IP rate limiting (login + general API)

internal/auth/routes.go

@@ -2,6 +2,7 @@ package auth
 
 import (
 	"ResendIt/internal/api/middleware"
+	"time"
 
 	"github.com/gin-gonic/gin"
 )
@@ -9,7 +10,9 @@ import (
 func RegisterRoutes(r *gin.RouterGroup, h *Handler) {
 	auth := r.Group("/auth")
 
-	auth.POST("/login", h.Login)
+	// Stricter rate limit on login to reduce brute-force / log spam.
+	// 5 attempts per minute per IP, burst 10.
+	auth.POST("/login", middleware.RateLimitByIP(5, time.Minute, 10, 15*time.Minute), h.Login)
 
 	protected := auth.Group("/")
 	protected.Use(middleware.AuthMiddleware())