In order to better discriminate between short bursts of legitimate
requests and sustained misuse such as user enumeration attacks, we
increase both the rate limit and the interval to 300 per 10 minutes
(instead of 10 per minute).

Additionally, the limit is now configurable in `ApplicationSetting`, so
it can be set per-instance. This is important also in order to avoid
hitting the limit on staging when running tests.

Enable changing the limit via UI or API
Admin users can set the rate limit via the UI (under Admin Area >
Settings > Network) or via the `/application/settings` API.

Allow configuring a user allowlist

Changelog: changed