Merge pull request #20336 from mozilla/fxa-13331

feat(auth): add email-scoped report-only rate limits for passwordless

Author: vbudhram

packages/fxa-auth-server/config/rate-limit-rules.txt

@@ -193,6 +193,8 @@ passwordlessSendOtp                    : ip               : 100         : 24 hou
 
 # Passwordless OTP Verification Limits
 passwordlessVerifyOtp                  : ip_email         : 5           : 10 minutes      : 15 minutes   : block
+passwordlessVerifyOtp                  : email            : 10          : 10 minutes      : 30 minutes   : report
 passwordlessVerifyOtp                  : ip               : 100         : 24 hours        : 15 minutes   : ban
 passwordlessVerifyOtpPerDay            : ip_email         : 10          : 24 hours        : 24 hours     : block
+passwordlessVerifyOtpPerDay            : email            : 20          : 24 hours        : 24 hours     : report
 passwordlessVerifyOtpPerDay            : ip               : 100         : 24 hours        : 15 minutes   : ban