Feature/Security - Extend IP Whitelist functionality to all logins

[aspark21]

As far as I can tell, this authentication method bypasses the Login Token (https://docs.moodle.org/dev/Login_token) security feature. Seems like it could make brute-forcing passwords slightly easier.

Interested by this plugin for the crawler tool, nothing else. So ideally this plugin, should only be available to a single account (the crawler tool account) or the IP of the server(s) which run the scheduled tasks/cron.

I can see the IP Whitelist setting is only used in relation to the master password option.

I think there should be an option to have an IP Whitelist for any use of this auth plugin, the real question is wether this should be a separate whitelist from the master password whitelist.

[brendanheywood]

As the ip whitelist has no use in a prod site, I think it would be fine to enforce it, if set, for both the normal passwords and the master passwords across the board without the need for a new option.

Pull requests welcome