feat(auth): add rate limiting to signup, login, and google-login

[Honey-pg]

Layer IP and email limits on public auth endpoints and enable trust proxy so rate limiting works correctly behind Render.

📌 Description

Adds rate limiting to /signup, /login, and /google-login to reduce brute-force login attempts, credential stuffing, and signup spam. Limits follow the existing 2FA pattern with a generic error message that does not reveal which limit was hit.

🔗 Related Issue

Closes #1418

🛠 Changes Made

• Added authByIpLimiter (10 requests / 15 min per IP) for /signup, /login, and /google-login
• Added authByEmailLimiter (5 requests / 15 min per normalized email) for /signup and /login
• Refactored shared rate-limit config and reused it for existing 2FA limiters
• Used ipKeyGenerator for IPv6-safe IP keys (express-rate-limit v8)
• Enabled trust proxy in server.js so IP-based limits work behind Render

📸 Screenshots (if applicable)

N/A — backend-only change, no UI updates.

✅ Checklist

• Code runs locally
• Followed project structure
• No console errors
• Properly tested changes
• Linked the issue

🚀 Notes for Reviewers

• /google-login is IP-limited only because email is inside the Firebase token and is not available before verification.
• Login and signup use stacked IP + email limiters; both must pass before the controller runs.
• Verified manually: 429 on 6th login attempt (same email) and 11th google-login attempt (same IP), with generic "Too many attempts, please try again later" message and RateLimit-* headers.
• Replace #<issue_number> with the assigned GSSoC issue before opening the PR.