feat(api): apply rate limiters to game and lobby routes

Wire gameLimiter into gameRouter and lobbyLimiter into lobbyRouter.
Both run after requireAuth since they key by req.session.user.id.

apps/api/src/routes/gameRouter.ts

@@ -2,9 +2,12 @@ import express from "express";
 import type { Router } from "express";
 import { createGame, submitAnswer } from "../controllers/gameController.js";
 import { requireAuth } from "../middleware/authMiddleware.js";
+import { gameLimiter } from "../middleware/rateLimiters.js";
 
 export const gameRouter: Router = express.Router();
 
 gameRouter.use(requireAuth);
+gameRouter.use(gameLimiter);
+
 gameRouter.post("/start", createGame);
 gameRouter.post("/answer", submitAnswer);

apps/api/src/routes/lobbyRouter.ts

@@ -5,10 +5,12 @@ import {
   joinLobbyHandler,
 } from "../controllers/lobbyController.js";
 import { requireAuth } from "../middleware/authMiddleware.js";
+import { lobbyLimiter } from "../middleware/rateLimiters.js";
 
 export const lobbyRouter: Router = express.Router();
 
 lobbyRouter.use(requireAuth);
+lobbyRouter.use(lobbyLimiter);
 
 lobbyRouter.post("/", createLobbyHandler);
 lobbyRouter.post("/:code/join", joinLobbyHandler);