Rate-limit calls to invite api

services/web/app/coffee/Features/Collaborators/CollaboratorsRouter.coffee

@@ -2,6 +2,7 @@ CollaboratorsController = require('./CollaboratorsController')
 AuthenticationController = require('../Authentication/AuthenticationController')
 AuthorizationMiddlewear = require('../Authorization/AuthorizationMiddlewear')
 CollaboratorsInviteController = require('./CollaboratorsInviteController')
+RateLimiterMiddlewear = require('../Security/RateLimiterMiddlewear')
 
 module.exports =
 	apply: (webRouter, apiRouter) ->
@@ -13,24 +14,40 @@ module.exports =
 		# invites
 		webRouter.post(
 			'/project/:Project_id/invite',
+			RateLimiterMiddlewear.rateLimit({
+				endpointName: "invite-to-project"
+				params: ["Project_id"]
+				maxRequests: 200
+				timeInterval: 60 * 10
+			}),
+			AuthenticationController.requireLogin(),
 			AuthorizationMiddlewear.ensureUserCanAdminProject,
 			CollaboratorsInviteController.inviteToProject
 		)
 
 		webRouter.get(
 			'/project/:Project_id/invite',
+			AuthenticationController.requireLogin(),
 			AuthorizationMiddlewear.ensureUserCanAdminProject,
 			CollaboratorsInviteController.getAllInvites
 		)
 
 		webRouter.delete(
 			'/project/:Project_id/invite/:invite_id',
+			AuthenticationController.requireLogin(),
 			AuthorizationMiddlewear.ensureUserCanAdminProject,
 			CollaboratorsInviteController.revokeInvite
 		)
 
 		webRouter.post(
 			'/project/:Project_id/invite/:invite_id/resend',
+			RateLimiterMiddlewear.rateLimit({
+				endpointName: "resend-invite"
+				params: ["Project_id"]
+				maxRequests: 200
+				timeInterval: 60 * 10
+			}),
+			AuthenticationController.requireLogin(),
 			AuthorizationMiddlewear.ensureUserCanAdminProject,
 			CollaboratorsInviteController.resendInvite
 		)