feat: add registration abuse prevention

- Silently block verification code for IPs with 2+ registered accounts
- Silently block Gmail alias emails (containing + or . in local part)
- Add CountByRegistrationIP to UserRepository interface
- Pass client IP to SendVerifyCodeAsync for abuse detection

Both checks return fake success to prevent enumeration attacks.

backend/internal/handler/auth_handler.go

@@ -200,13 +200,15 @@ func (h *AuthHandler) SendVerifyCode(c *gin.Context) {
 		return
 	}
 
+	clientIP := ip.GetClientIP(c)
+
 	// Turnstile 验证
-	if err := h.authService.VerifyTurnstile(c.Request.Context(), req.TurnstileToken, ip.GetClientIP(c)); err != nil {
+	if err := h.authService.VerifyTurnstile(c.Request.Context(), req.TurnstileToken, clientIP); err != nil {
 		response.ErrorFrom(c, err)
 		return
 	}
 
-	result, err := h.authService.SendVerifyCodeAsync(c.Request.Context(), req.Email)
+	result, err := h.authService.SendVerifyCodeAsync(c.Request.Context(), req.Email, clientIP)
 	if err != nil {
 		response.ErrorFrom(c, err)
 		return