Integrate flood with passwordless login

Problem/Motivation

Currently, when initiating a passwordless login via /user-api/passwordless-login, the email is always triggered, even if the user has been blocked using other login mechanisms via the flood module.

In some scenarios it would be beneficial to also prohibit passwordless login attemts, when the user has been blocked by e.g. logging in via username / password.

The sending of emails by the passwordless login rest resource is not limited in any way.
This could enable an attacker to send out an unlimited flood of login emails to a victim, if the victims email address is known.

Proposed resolution

Implement two events that allow developers to hook into the passwordless login routine to potentially abort the login process before and after the user has been loaded.

This allows to implement IP and User block checks using the flood module.

Additionally provide a ready-made solution to check for given flood events for both ip and user blocks.
The flood events that should be checked can then be set in Drupal settings.

Integrate the flood module, similar to how Drupal Core does it for user logins and in the basic auth module, but with dedicated ip and user limits and windows.

The per-user flood events should also be cleared if the user logs in successfully.