enhance: replace signin CAPTCHA with rate limit

What

Instead of solving a CAPTCHA, the signin endpoint uses a rate limit. For this to work the rate limiter code had to be slightly adjusted to also work with IP addresses if no user has yet signed in. With this adjustment it might be possible to rate limit other API endpoints in the future as well, without requiring signing in.

Why

• fix #8739 (closed)
• undo breaking change to signin process

Additional info

Applications which are using this endpoint should be aware that it is not strictly a part of the API. The native login token that gets returned from this endpoint gives special privileges due to the secure flag on some endpoints. This includes for example: 2FA setup, data import & export, app authentication, miauth, account deletion.

But these capabilities may be desired for alternative front ends.