Rate limit endpoints that enable user enumeration

What does this MR do and why?

This MR adds rate-limiting to /api/v4/users/id and /users/:username/exists endpoints. The rate limiting is implemented in RackAttack, so the existing mechanisms to allow specific requests are applied. This MR is an alternative to !73069 (merged) (which should be closed without merging if this MR is preferred) and is part of the work towards solving #29040 (closed) (Prior discussion about possible solutions: https://gitlab.com/gitlab-org/gitlab/-/issues/339151#note_740176688)

The rate limit is feature flagged (flag is named throttle_possible_user_enumeration, disabled by default) and the limit and period are configurable via the application settings (defaulting to 300 requests every 5 minutes).

It was proposed (!73069 (comment 730480974)) to have the limit be 10 per 1 minute, but in my opinion legitimate users could hit that limit rather easily. I think that having a higher limit over a longer period of time is better to stop enumeration attacks while not impacting legitimate use: enumeration attacks would typically cause a high number of requests over a long time, while a short burst could be completely legitimate. It is anyway just the default, and different values can be configured.

Migration output: https://gitlab.com/gitlab-org/gitlab/-/jobs/1817278908

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.