Resolves #1537 - #1539: First pass at the review collection, with some endpoints for testing

[david-rocca]

Closes Issue #1537, #1538, #1539

To fix this issue, rate limiting should be explicitly added to the router handling these review object endpoints. The recommended approach is to use a well-known and widely used middleware such as express-rate-limit. We should import this middleware and configure a reasonable rate limit (for example, 100 requests per 15 minutes per IP) and attach this limiter to the specific routes in this router file, so that each relevant route is protected against excessive requests. This requires:

1. Adding express-rate-limit as a dependency (if not already present).
2. Importing the package in this file.
3. Defining a rate limiter instance with a configuration suited to the needs of these (likely sensitive) endpoints.
4. Attaching the rate limiter as a middleware to the relevant routes, before mw.validateUser and the rest.

Concrete changes:

• In src/controller/review-object.controller/index.js, add express-rate-limit import at the top.
• Define a limiter instance (e.g., const rateLimit = require('express-rate-limit') and define configuration).
• Add the limiter to each of the four routes as the first middleware in the stack.

---

To fix the missing rate limiting issue, a rate-limiting middleware should be added to the relevant routes. The standard and recommended package for this in Express is express-rate-limit. The fix should import (require) express-rate-limit, configure a suitable limiter (e.g., 100 requests per 15 minutes as in the example), and apply this limiter specifically to the sensitive routes, especially the /review/orgs GET endpoint, to prevent possible abuse. This can be done by inserting the limiter as a middleware in the relevant router .get() call. The fix must add the express-rate-limit import and create the limiter instance if not already present in this file. The code to be edited is within src/controller/review-object.controller/index.js, affecting line(s) where the route is defined and at the top for the import and limiter definition.

---

The best way to fix this issue is to add rate-limiting middleware to the endpoint(s) that update data, specifically line 7 (router.put('/review/org/:uuid', ...)). The widely used library for Express—express-rate-limit—should be imported and configured to set limits appropriate for update operations (e.g., a low burst rate to prevent DoS).

• Where to change: In src/controller/review-object.controller/index.js, import the rate limiter, configure a custom instance (e.g., allowing 10 attempts per 15 minutes), and append it to the relevant route(s).
• Methods/imports/definitions needed: Import the package at the top, instantiate a limiter according to needs, and use it as middleware in the route.

To fix the missing rate limiting on this sensitive POST endpoint, the best approach is to use a well-known rate limiting middleware designed for Express, such as express-rate-limit. This should be imported and configured with sensible defaults (e.g., allowing a small number of POSTs per minute from a single IP), and then applied specifically to the POST /review/org/ route (or more routes, if desired). The relevant import for express-rate-limit should be added at the top of the file. A new limiter instance needs to be created and inserted into the list of middleware for the POST route on line 8, without altering any existing functionality or other route handlers.

---