[Wishlist] Login rate limiting, brute force protection, and activity logging with origin detection

Would like a rate limit on the login endpoint (e.g. per account), temporary cooldowns after several failed attempts, or a conditional bot challenge (CAPTCHA) when suspicious behavior is detected.

And an activity log for logins - including where the login is originated from.