When using PAT, rate-limiting should key on the token, not IP

### Current Behavior

Currently, rate-limit is keyed based on `request.sid` (a session id), or falls back to src `ip`.

When accessing the API with a personal access token, `request.sid` isn't set, so the rate-limiting applies to the IP.

We should be keying on the token.

1. when using a PAT, set `request.pat` to a hash(?) of the token. Maybe that's unnecessary and could just be the token
2. in the rate-limit keyGenerator function, fall back to that after `sid`, but before `ip`.

### Expected Behavior

_No response_

### Steps To Reproduce

_No response_

### Environment

- FlowFuse version:
- Node.js version:
- npm version:
- Platform/OS:
- Browser:


### Have you provided an initial effort estimate for this issue?

I have provided an initial effort estimate

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

When using PAT, rate-limiting should key on the token, not IP #6432

Current Behavior

Expected Behavior

Steps To Reproduce

Environment

Have you provided an initial effort estimate for this issue?

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

When using PAT, rate-limiting should key on the token, not IP #6432

Description

Current Behavior

Expected Behavior

Steps To Reproduce

Environment

Have you provided an initial effort estimate for this issue?

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions