fix: respect lockout policy on password change (with old password) and add tar pit for checks

# Which Problems Are Solved

While the lockout policy was correctly applied on the session API and other authentication and management endpoints , it had no effect on the user service v2 endpoints.

# How the Problems Are Solved

- Correctly apply lockout policy on the user service v2 endpoints.
- Added tar pitting to auth factor checks (authentication and management API) to prevent brute-force attacks or denial of service because of user lockouts.
- Tar pitting is not active if `IgnoreUnknownUsername` option is active to prevent leaking information whether a user exists or not.

# Additional Changes

None

# Additional Context

- requires backports

* cleanup

(cherry picked from commit b8db8cdf9c)

internal/command/user_v2_model.go

@@ -80,6 +80,26 @@ type UserV2WriteModel struct {
 	Metadata           map[string][]byte
 }
 
+func (wm *UserV2WriteModel) GetUserState() domain.UserState {
+	return wm.UserState
+}
+
+func (wm *UserV2WriteModel) GetPasswordCheckFailedCount() uint64 {
+	return wm.PasswordCheckFailedCount
+}
+
+func (wm *UserV2WriteModel) GetEncodedHash() string {
+	return wm.PasswordEncodedHash
+}
+
+func (wm *UserV2WriteModel) GetResourceOwner() string {
+	return wm.ResourceOwner
+}
+
+func (wm *UserV2WriteModel) GetWriteModel() *eventstore.WriteModel {
+	return &wm.WriteModel
+}
+
 func NewUserExistsWriteModel(userID, resourceOwner string) *UserV2WriteModel {
 	return newUserV2WriteModel(userID, resourceOwner, WithHuman(), WithMachine())
 }
@@ -292,6 +312,7 @@ func (wm *UserV2WriteModel) Reduce() error {
 		case *user.HumanPasswordChangedEvent:
 			wm.PasswordEncodedHash = crypto.SecretOrEncodedHash(e.Secret, e.EncodedHash)
 			wm.PasswordChangeRequired = e.ChangeRequired
+			wm.PasswordCheckFailedCount = 0
 			wm.EmptyPasswordCode()
 		case *user.HumanPasswordCodeAddedEvent:
 			wm.SetPasswordCode(e)