allow only 4 failed attempts at entering the email code

to prevent brute forcing

closes #39

app/Provider/Email.php

@@ -101,6 +101,27 @@ public function verify_email_code(ServerRequestInterface $request, ResponseInter
     if(strtolower($usercode) == strtolower($params['usercode'])) {
       return $this->_finishAuthenticate($response);
     } else {
+      $k = 'indielogin:email:usercode:attempts:'.$params['code'];
+      $current_attempts = (redis()->get($k) ?: 0);
+
+      // Allow only 4 failed attempts, then start over.
+      // This prevents brute forcing the code.      
+      if($current_attempts >= 3) {
+        redis()->del('indielogin:email:usercode:'.$params['code']);
+        redis()->del('indielogin:email:'.$params['code']);
+        redis()->del($k);
+
+        $response->getBody()->write(view('auth/email-error', [
+          'title' => 'Error',
+          'error' => 'The session expired',
+          'client_id' => ($_SESSION['login_request']['client_id'] ?? false)
+        ]));
+        return $response;
+      }
+
+      // Increment the counter of failed attempts
+      redis()->setex($k, EMAIL_TIMEOUT, $current_attempts+1);
+
       $response->getBody()->write(view('auth/email-enter-code', [
         'title' => 'Log In via Email',
         'code' => $params['code'],