added various tests for playwright

tests/ui/auth/login-bruteforce.test.ts

@@ -0,0 +1,30 @@
+import { test, expect } from '@playwright/test';
+
+const shouldRun = process.env.E2E_BRUTEFORCE === '1';
+
+test.describe('Login brute-force throttle', () => {
+  test.skip(!shouldRun, 'Set E2E_BRUTEFORCE=1 to run brute-force throttle check against the live/staging site.');
+
+  test('repeated bad logins eventually trigger throttle', async ({ request }) => {
+    const attemptPayload = {
+      email: 'nonexistent-user@example.com',
+      password: 'WrongPass123!',
+    };
+
+    const statuses: number[] = [];
+    const bodies: string[] = [];
+
+    for (let i = 0; i < 8; i += 1) {
+      const response = await request.post('/login', {
+        form: attemptPayload,
+        failOnStatusCode: false,
+      });
+      statuses.push(response.status());
+      bodies.push(await response.text());
+    }
+
+    const hitThrottle = statuses.includes(429) || bodies.some((body) => /too many.+attempt/i.test(body));
+
+    expect(hitThrottle).toBeTruthy();
+  });
+});