[1.x] Port security fixes to default login rate limiter

[staudenmeir]

This PR ports two security fixes for MySQL/MariaDB from LoginRateLimiter to the service provider's rate limiter (that Fortify uses on a default installation):

• Protection against bypass attempts with different combinations of uppercase and lowercase characters (e.g. uSer@example.com): This fix has been included in LoginRateLimiter from the beginning but not in the default rate limiter.
• Protection against bypass attempts with special characters (e.g. uⓢer@example.com): [1.x] Fix Throttle Bypass Exploit #354 fixed this in LoginRateLimiter but not in the default rate limiter.

I replaced $request->email with the more universal $request->input(Fortify::username()) from LoginRateLimiter.

I also removed the string cast from #333 because it doesn't actually solve the issue it wanted to fix (#332). Passing an array still causes an "Array to string conversion" error.

There aren't any tests for the default rate limiter yet and I'm not sure about the bestway to test them.

The big issue with these vulnerabilities is that they don't get fixed in existing apps since the service provider is a stub file, but we can't really do anything about that.