Prevent brute force/credential spray attacks on the OAuth
token endpoint by incrementing failed attempts. After the
configured Devise `maximum_attempts` the account will be
locked and further attempts will not succeed. This change also
adds the OAuth token path to Rack Attack protected paths.