For case where username/email address is not found use some method to delay
responding to user. The delay should simulate sending an email. Possibly send
actual email to devnull or other junk address. Otherwise a timing attack
could be used to find valid accounts/addresses as the response time will be longer
if user is found.

Also need some method of rate limiting requests for magic link. Otherwise it is
easy to spam a user. Since usernames can be seen in Roundup, this argues for using
email address (which are not shown by Roundup) to trigger a magic link.

Consider using a time delay as with the registration form to deter bots, or an explicit
rate limit like login. Not sure what is a good delay as typing in just an email address
can be pretty quick.

Maybe reuse setting of login_attempts_min config setting to limit login attempts by
client IP. This requires that the roundup app has access to the client IP
by configuring roundup to allow access to X-Forwarded-Host or using REMOTE_ADDR if
a proxy is not used. Rate limit only on username may not work as finding valid
accounts requires using different usernames/email, but will limit spamming a user.