feat(auth): wire lockout, rate-limit, and constant-time login into both routes

Both POST /login (HTML form) and POST /api/v1/auth/login now flow through
the shared attemptLogin() handler. Locked accounts respond with 401 +
Retry-After (generic body "Invalid credentials" / "Invalid username or
password") so attackers can't use lockout state as a username-existence
oracle.

@fastify/rate-limit registered with global=false; only the two login
routes opt in via per-route rateLimit config. File uploads and downloads
keep full throughput. Custom errorResponseBuilder logs AUTH_RATE_LIMITED
fire-and-forget so fail2ban can pick it up.

createTestApp now accepts Partial<Config> overrides so integration tests
can dial thresholds down without env-var mutation.

tests/helpers/setup.ts

@@ -53,7 +53,7 @@ export interface TestContext {
   cleanup: () => void;
 }
 
-export function createTestApp(): TestContext {
+export function createTestApp(overrides: Partial<Config> = {}): TestContext {
   const tmpDir = mkdtempSync(join(tmpdir(), 'nanodrop-int-'));
   const uploadDir = join(tmpDir, 'uploads');
   const logFile = join(tmpDir, 'test.log');
@@ -74,6 +74,13 @@ export function createTestApp(): TestContext {
     baseUrl: 'http://localhost:3000',
     cookieSecure: false,
     trustProxy: false,
+    lockoutThreshold: 5,
+    lockoutBaseSeconds: 30,
+    lockoutMaxSeconds: 3600,
+    loginMinResponseMs: 0,
+    loginRateLimitMax: 1000,
+    loginRateLimitWindowSeconds: 60,
+    ...overrides,
   };
 
   const app = createServer({ config, db });