fix: FORMS-1303 rate limit admin, permission, role

Applying API rate limiting to the currently non-limited routes in /admin, /permission, and /role.

app/src/forms/admin/routes.js

@@ -2,10 +2,13 @@ const routes = require('express').Router();
 
 const jwtService = require('../../components/jwtService');
 const currentUser = require('../auth/middleware/userAccess').currentUser;
+const rateLimiter = require('../common/middleware').apiKeyRateLimiter;
 const validateParameter = require('../common/middleware/validateParameter');
 const userController = require('../user/controller');
 const controller = require('./controller');
 
+routes.use(rateLimiter);
+
 // Routes under /admin fetch data without doing form permission checks. All
 // routes in this file should remain under the "admin" role check, with the
 // "admin" role only given to people who have permission to read all data.

app/src/forms/permission/routes.js

@@ -2,9 +2,11 @@ const routes = require('express').Router();
 
 const jwtService = require('../../components/jwtService');
 const currentUser = require('../auth/middleware/userAccess').currentUser;
+const rateLimiter = require('../common/middleware').apiKeyRateLimiter;
 const validateParameter = require('../common/middleware/validateParameter');
 const controller = require('./controller');
 
+routes.use(rateLimiter);
 routes.use(jwtService.protect('admin'));
 routes.use(currentUser);
 

app/src/forms/role/routes.js

@@ -2,9 +2,11 @@ const routes = require('express').Router();
 
 const jwtService = require('../../components/jwtService');
 const currentUser = require('../auth/middleware/userAccess').currentUser;
+const rateLimiter = require('../common/middleware').apiKeyRateLimiter;
 const validateParameter = require('../common/middleware/validateParameter');
 const controller = require('./controller');
 
+routes.use(rateLimiter);
 routes.use(currentUser);
 
 routes.param('code', validateParameter.validateRoleCode);