rate limit all password checks - fixes #540

all of these endpoints require the caller to already be logged in, so
it's not really much of a security problem, but it's still safer to
limit any endpoints that can be used to guess the current password

packages/backend/src/server/api/endpoints/i/regenerate-token.ts

@@ -11,10 +11,17 @@ import type { UsersRepository, UserProfilesRepository } from '@/models/_.js';
 import generateUserToken from '@/misc/generate-native-user-token.js';
 import { GlobalEventService } from '@/core/GlobalEventService.js';
 import { DI } from '@/di-symbols.js';
+import ms from 'ms';
 
 export const meta = {
 	requireCredential: true,
 
+	limit: {
+		duration: ms('1hour'),
+		max: 10,
+		minInterval: ms('1sec'),
+	},
+
 	secure: true,
 } as const;