fix bypass in rate limiting

thanks to whokilleddb for the report

config/initializers/rack_attack.rb

@@ -18,8 +18,10 @@
 end
 # at some point they'll proceed to testing credentials
 Rack::Attack.throttle("login", limit: 4, period: 60) do |request|
-  request.ip if request.post? &&
-                (request.path == '/login' || request.path == '/login/set_new_password')
+  request.ip if request.post? && (
+                 request.path.start_with?('/login') ||
+                 request.path.start_with?('/login/set_new_password')
+  )
 end
 
 Rack::Attack.throttle("log4j probe", limit: 1, period: 1.week.to_i) do |request|