add rate limiting

app.js

@@ -10,6 +10,7 @@ const logger = require('pino')(opts);
 const express = require('express');
 const app = express();
 const helmet = require('helmet');
+const rateLimit = require('express-rate-limit');
 const cors = require('cors');
 const passport = require('passport');
 const routes = require('./lib/routes');
@@ -89,6 +90,15 @@ const unless = (paths, middleware) => {
     return middleware(req, res, next);
   };
 };
+
+const limiter = rateLimit({
+  windowMs: (process.env.RATE_LIMIT_WINDOWS_MS || 5) * 60 * 1000, // 5 minutes
+  max: process.env.RATE_LIMIT_MAX_PER_WINDOW || 600, // Limit each IP to 600 requests per `window`
+  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+});
+
+app.use(limiter);
 app.use(helmet());
 app.use(helmet.hidePoweredBy());
 app.use(passport.initialize());