Password reset endpoint is not brute force protected

Oversight of https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v243-x6jc-42mp (https://hackerone.com/reports/1841665, but I can't judge the content there as it is not yet public). In any case. The whole lostpassword flow is now annotated with bruteforce protection. Except the endpoint that actually matters. https://github.com/nextcloud/server/blob/master/core/Controller/LostController.php#L226-L229 An attacker can still happily try to brute force the token. Without getting throttled. ## Impact The lostpassword flow is without actual bruteforce protection.