Merge pull request #7294 from overleaf/jpa-ratelimit-2fa-check

[web] rate-limit 2fa check requests

GitOrigin-RevId: da3d2f15c68cff101de807c1eae91edbd86481e7

services/web/app/src/Features/Security/RateLimiterMiddleware.js

@@ -16,8 +16,10 @@ const settings = require('@overleaf/settings')
   Unique clients are identified by user_id if logged in, and IP address if not.
 */
 function rateLimit(opts) {
+  const getUserId =
+    opts.getUserId || (req => SessionManager.getLoggedInUserId(req.session))
   return function (req, res, next) {
-    const userId = SessionManager.getLoggedInUserId(req.session) || req.ip
+    const userId = getUserId(req) || req.ip
     if (
       settings.smokeTest &&
       settings.smokeTest.userId &&