diff --git a/services/web/app/src/Features/Security/RateLimiterMiddleware.js b/services/web/app/src/Features/Security/RateLimiterMiddleware.js
index 41a0f804b5..c32c7e9d81 100644
--- a/services/web/app/src/Features/Security/RateLimiterMiddleware.js
+++ b/services/web/app/src/Features/Security/RateLimiterMiddleware.js
@@ -16,8 +16,10 @@ const settings = require('@overleaf/settings')
   Unique clients are identified by user_id if logged in, and IP address if not.
 */
 function rateLimit(opts) {
+  const getUserId =
+    opts.getUserId || (req => SessionManager.getLoggedInUserId(req.session))
   return function (req, res, next) {
-    const userId = SessionManager.getLoggedInUserId(req.session) || req.ip
+    const userId = getUserId(req) || req.ip
     if (
       settings.smokeTest &&
       settings.smokeTest.userId &&