(SP: 2) [Frontend] Multi-attempt verification for bot protection

[LesiaUKR]

Goal

Prevent bots from re-submitting answers to the same question during a quiz attempt via Redis-based duplicate verification tracking.

Scope

• Track verified questions per user per quiz in Redis (quiz:verified:{quizId}:{identifier}:{questionId})
• Identifier: userId for authenticated users, IP for guests (resolved from JWT cookie or x-forwarded-for)
• Reject duplicate verification with 409 status
• Dynamic TTL: timeLimitSeconds + 60s (sent from client), fallback 15min
• Clear all verified keys on quiz start via SCAN + DEL (enables immediate retake)
• Remove time validation rule from rules screen and validateTimeSpent from server action

Technical steps:

1. Add isQuestionAlreadyVerified, markQuestionVerified, clearVerifiedQuestions to quiz-answers-redis.ts
2. Update verify-answer/route.ts with identifier resolution and duplicate check
3. Pass timeLimitSeconds from QuizContainer to verify-answer POST body
4. Call clearVerifiedQuestions in initializeQuizCache server action on quiz start
5. Remove quiz.rules.time i18n keys (uk/en/pl) and time rule block from rules screen

Considered and rejected alternatives:

• Confirmation dialog on fast completion (gives cheaters second chance)
• Graduated integrity penalty (feels unfair to legitimate users)
• Per-question cooldown on Next button (doesn't fit flow — Next only appears after answer)
• Rate limiting on verify-answer API (bots can add setTimeout)

Expected impact

• Security: bots cannot re-verify the same question during an active attempt
• UX: no impact on legitimate users, retakes work immediately

Out of scope

• CAPTCHA or browser fingerprinting
• IP-based rate limiting across different quizzes
• Server-side answer timing analysis