Implement rate limiting

[Changaco]

This branch implements half of #658 and half of #61, closes #478, and also closes #495.

The proposed rate limits are:

• for verification emails (when a new account is created or an email address is added to an existing account): 5 per day per user, 2 per day per email address
• for email logins: 10 per day per user, 2 per day per unverified email address
• for password logins: 3 per hour per user
• for account creations: 5 per hour per IP address, 15 per 15 minutes per IP network (/16 for IPv4, /32 for IPv6), 15 per 15 minutes per IP version (IPv4 or IPv6)

The hardest part for the account creation rate limits was actually determining the IP address of the request in a reliable way. I ended up implementing the logic in the python app (could be moved upstream to Pando).

Ping @EdOverflow since this is about protecting Liberapay from DoS attacks (and other people from email spam).

Remaining TODO:

• in Rate limiting #658: move the rate limiter to a separate project so others can use it
• in Prevent verification email spam #61: implement an email address blacklist so people being spammed can immediately stop the influx of emails

[Changaco]

I've created an issue about moving stuff upstream into Pando: AspenWeb/pando.py#581.

[EdOverflow]

@Changaco: I am currently reviewing this PR. Are you able to access Gratipay's HackerOne inbox?

[Changaco]

@EdOverflow No. I remember proposing to help with Gratipay's HackerOne a while back, but I wasn't given access.

[Changaco]

If there is no concrete feedback I'm going to merge this soon.

[Changaco]

Rebased on master. Will merge once Travis is green.

[Changaco]

This is now deployed.