Harden auth risk controls and admin reauth

routes/api_user.py

@@ -9,7 +9,7 @@ from app_security import get_rate_limit_ip, require_ip_not_locked, validate_emai
 from flask import Blueprint, jsonify, request
 from flask_login import current_user, login_required
 from routes.pages import render_app_spa_or_legacy
-from services.state import check_ip_request_rate, safe_iter_task_status_items
+from services.state import check_email_rate_limit, check_ip_request_rate, safe_iter_task_status_items
 
 logger = get_logger("app")
 
@@ -164,6 +164,9 @@ def bind_user_email():
 
     client_ip = get_rate_limit_ip()
     allowed, error_msg = check_ip_request_rate(client_ip, "email")
+    if not allowed:
+        return jsonify({"error": error_msg}), 429
+    allowed, error_msg = check_email_rate_limit(email, "bind_email")
     if not allowed:
         return jsonify({"error": error_msg}), 429