add anti-flood: dynamic PoW difficulty under load

When paste creation rate exceeds threshold, PoW difficulty
increases to slow down attackers. Decays back to base when
abuse stops.

Config:
- ANTIFLOOD_THRESHOLD: requests/window before increase (30)
- ANTIFLOOD_STEP: difficulty bits per step (2)
- ANTIFLOOD_MAX: maximum difficulty cap (28)
- ANTIFLOOD_DECAY: seconds before reducing (30)

app/config.py

@@ -64,6 +64,18 @@ class Config:
     # Secret key for signing challenges (auto-generated if not set)
     POW_SECRET = os.environ.get("FLASKPASTE_POW_SECRET", "")
 
+    # Anti-flood: dynamically increase PoW difficulty under load
+    ANTIFLOOD_ENABLED = os.environ.get("FLASKPASTE_ANTIFLOOD", "1").lower() in (
+        "1",
+        "true",
+        "yes",
+    )
+    ANTIFLOOD_WINDOW = int(os.environ.get("FLASKPASTE_ANTIFLOOD_WINDOW", "60"))  # seconds
+    ANTIFLOOD_THRESHOLD = int(os.environ.get("FLASKPASTE_ANTIFLOOD_THRESHOLD", "30"))  # req/window
+    ANTIFLOOD_STEP = int(os.environ.get("FLASKPASTE_ANTIFLOOD_STEP", "2"))  # bits per step
+    ANTIFLOOD_MAX = int(os.environ.get("FLASKPASTE_ANTIFLOOD_MAX", "28"))  # max difficulty
+    ANTIFLOOD_DECAY = int(os.environ.get("FLASKPASTE_ANTIFLOOD_DECAY", "30"))  # seconds to decay
+
     # URL prefix for reverse proxy deployments (e.g., "/paste" for mymx.me/paste)
     URL_PREFIX = os.environ.get("FLASKPASTE_URL_PREFIX", "").rstrip("/")