controllers: refactor rate limits.

Refactor controllers so that endpoint rate limits are declared locally,
with the endpoint, instead of globally, in a single method in ApplicationController.

This way an endpoint's rate limit is declared in the same file as the
endpoint itself.

This is so we can add fine-grained rate limits for certain GET requests.
Before rate limits were only for non-GET requests.

app/controllers/sessions_controller.rb

@@ -2,6 +2,8 @@ class SessionsController < ApplicationController
   respond_to :html, :json
   skip_forgery_protection only: :create, if: -> { !request.format.html? }
 
+  rate_limit :create, rate: 1.0/1.minute, burst: 10
+
   def new
     @user = User.new
   end