feat(api): apply rate limiters to game and lobby routes

Wire gameLimiter into gameRouter and lobbyLimiter into lobbyRouter.
Both run after requireAuth since they key by req.session.user.id.

apps/api/src/routes/gameRouter.ts

@@ -2,9 +2,12 @@ import express from "express";
 import type { Router } from "express";
 import { createGame, submitAnswer } from "../controllers/gameController.js";
 import { requireAuth } from "../middleware/authMiddleware.js";
+import { gameLimiter } from "../middleware/rateLimiters.js";
 
 export const gameRouter: Router = express.Router();
 
 gameRouter.use(requireAuth);
+gameRouter.use(gameLimiter);
+
 gameRouter.post("/start", createGame);
 gameRouter.post("/answer", submitAnswer);

apps/api/src/routes/lobbyRouter.ts

@@ -5,10 +5,12 @@ import {
   joinLobbyHandler,
 } from "../controllers/lobbyController.js";
 import { requireAuth } from "../middleware/authMiddleware.js";
+import { lobbyLimiter } from "../middleware/rateLimiters.js";
 
 export const lobbyRouter: Router = express.Router();
 
 lobbyRouter.use(requireAuth);
+lobbyRouter.use(lobbyLimiter);
 
 lobbyRouter.post("/", createLobbyHandler);
 lobbyRouter.post("/:code/join", joinLobbyHandler);

documentation/backlog.md

@@ -108,6 +108,9 @@ Directionally right, timing is unclear. Revisit when the next/now work is done.
 - **OpenAPI documentation for REST endpoints** `[feature]`
   Document the API surface using OpenAPI/Swagger. Covers all REST endpoints with request/response shapes. Useful groundwork for the admin dashboard and any future contributors.
 
+- **Frontend tests** `[debt]`
+  component tests for QuestionCard, OptionButton, ScoreScreen; consider Playwright or Vitest browser mode for e2e
+
 ---
 
 ## changelog