feat: Redis-backed rate limiting with stricter auth limits

- Add rate_limit_auth_requests (5/min) and rate_limit_auth_window_seconds (60)
  settings to config.py
- Refactor rate_limit.py to use protocol/ABC pattern with InMemorySlidingWindow
  and RedisSlidingWindow implementations
- Add RedisSlidingWindow using sorted sets for distributed rate limiting
- Add auth_strict_limiter for /auth/* POST endpoints (5 req/min per IP)
- Fall back to in-memory when Redis is unavailable
- Update tests to cover new functionality

Co-Authored-By: Paperclip <noreply@paperclip.ing>

src/cartsnitch_api/config.py

@@ -33,6 +33,9 @@ class Settings(BaseSettings):
     rate_limit_requests: int = 60
     rate_limit_window_seconds: int = 60
     rate_limit_enabled: bool = True
+    rate_limit_auth_requests: int = 5
+    rate_limit_auth_window_seconds: int = 60
+    rate_limit_redis_enabled: bool = True
 
     _PLACEHOLDER_VALUES = {"change-me-in-production"}
 
@@ -72,7 +75,9 @@ class Settings(BaseSettings):
     def normalize_database_url(self):
         """Normalize postgresql:// → postgresql+asyncpg:// for the asyncpg driver."""
         if self.database_url.startswith("postgresql://"):
-            self.database_url = self.database_url.replace("postgresql://", "postgresql+asyncpg://", 1)
+            self.database_url = self.database_url.replace(
+                "postgresql://", "postgresql+asyncpg://", 1
+            )
         return self