implement account lockout after 3 failed login attempts with 5-minute cooldown period

backend/internal/auth/handler.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"errors"
 	"net/http"
 
 	"github.com/gin-gonic/gin"
@@ -35,6 +36,16 @@ func (h *Handler) Login(c *gin.Context) {
 
 	token, err := h.authService.Login(c.Request.Context(), req.Username, req.Password)
 	if err != nil {
+		var lockErr AccountLockedError
+		if errors.As(err, &lockErr) {
+			c.JSON(http.StatusTooManyRequests, gin.H{
+				"error":        "Слишком много неверных попыток. Попробуйте через 5 минут",
+				"code":         "account_temporarily_locked",
+				"locked_until": lockErr.LockedUntil.Format("2006-01-02T15:04:05Z07:00"),
+			})
+			return
+		}
+
 		switch err {
 		case ErrUserNotFound, ErrInvalidCredentials:
 			c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid credentials"})