Add separate RackAttack throttle for /jwt/auth

As noted in #656 (closed), the /jwt/auth endpoint is cheap but heavily hit, and it is sub-optimal to set the rate-limit for all authenticated web (and unauthenticated) traffic to a threshold sufficient for /jwt/auth. If we can exclude that, we can set those base rate-limits much lower, providing additional protective effect against actual malicious or unfortunate traffic.