fix(auth): reduce verification code rate limit from 60s to 10s

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/web/app/(auth)/login/page.tsx

@@ -54,7 +54,7 @@ function LoginPageContent() {
       await sendCode(email);
       setStep("code");
       setCode("");
-      setCooldown(60);
+      setCooldown(10);
     } catch (err) {
       setError(
         err instanceof Error ? err.message : "Failed to send code. Make sure the server is running."
@@ -118,7 +118,7 @@ function LoginPageContent() {
     setError("");
     try {
       await sendCode(email);
-      setCooldown(60);
+      setCooldown(10);
     } catch (err) {
       setError(
         err instanceof Error ? err.message : "Failed to resend code"

server/internal/handler/auth.go

@@ -213,9 +213,9 @@ func (h *Handler) SendCode(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Rate limit: max 1 code per 60 seconds per email
+	// Rate limit: max 1 code per 10 seconds per email
 	latest, err := h.Queries.GetLatestCodeByEmail(r.Context(), email)
-	if err == nil && time.Since(latest.CreatedAt.Time) < 60*time.Second {
+	if err == nil && time.Since(latest.CreatedAt.Time) < 10*time.Second {
 		writeError(w, http.StatusTooManyRequests, "please wait before requesting another code")
 		return
 	}