API v3 Rate Limiter (#12117)

* simplify ip address management by using the trust proxy express option

* add setupExpress file

* fix redirects middleware tests

* fix lint

* short circuit the ip blocking middleware

* basic implementation with ip based limiting

* improve logging

* upgrade apidoc

* apidoc: add introduction section

* fix lint

* fix tests

* fix lint

* add unit tests for rate limiter

* do not send retry-after header when points are available

* automatically fix lint

* fix more lint issues

* use userId as key for rate limit when available

website/server/libs/setupExpress.js

@@ -0,0 +1,11 @@
+import nconf from 'nconf';
+
+const IS_PROD = nconf.get('IS_PROD');
+
+export default function setupExpress (app) {
+  app.set('view engine', 'pug');
+  app.set('views', `${__dirname}/../../views`);
+  // The production build of Habitica runs behind a proxy
+  // See https://expressjs.com/it/guide/behind-proxies.html
+  if (IS_PROD) app.set('trust proxy', true);
+}