[BE-46] Apply rate limiting consistently across all routes

[yusuftomilola]

Overview

The ThrottlerModule is configured in AppModule with named buckets (short/medium/long) but @Throttle() decorators are only applied to newsletter and contact endpoints. All auth, booking, and payment routes are effectively unprotected against brute-force and API abuse attacks.

Context

• ThrottlerModule config: backend/src/app.module.ts (short=3/s, medium=20/10s, long=100/min)
• ThrottlerGuard registered as global APP_GUARD — verify it is active and working
• Existing decorator usage: backend/src/newsletter/newsletter.controller.ts, backend/src/contact/contact.controller.ts
• @Throttle() from @nestjs/throttler — apply per controller or per route handler

Tasks

• Verify the global ThrottlerGuard APP_GUARD is correctly rejecting over-limit requests with HTTP 429 Too Many Requests; write a quick smoke test or manual test to confirm
• Apply @Throttle({ short: { ttl: 1000, limit: 3 } }) to all auth endpoints: POST /auth/login, POST /auth/register, POST /auth/forgot-password
• Apply strictest limits to OTP and 2FA endpoints: max 5 per 10 minutes — POST /auth/verify-otp, POST /auth/2fa/verify, POST /auth/2fa/sms/send-code, POST /auth/2fa/sms/verify
• Apply @Throttle({ medium: { ttl: 60000, limit: 10 } }) to payment initiation endpoints: POST /payments/initialize, POST /credits/purchase
• Apply @Throttle({ long: { ttl: 60000, limit: 30 } }) to booking creation: POST /bookings
• Confirm that the feedback named throttler bucket (defined in AppModule) is actually wired to a route decorator — if orphaned, either wire it or remove it

Files to Modify / Create

• backend/src/auth/auth.controller.ts
• backend/src/payments/payments.controller.ts
• backend/src/bookings/bookings.controller.ts