Enhance security and validation across multiple routes:

- Escape XML and HTML special characters to prevent injection attacks.
- Implement rate limiting for various endpoints to mitigate abuse.
- Add validation for email formats, password lengths, and field limits.
- Ensure proper access control for recordings and room management.

server/routes/federation.js

@@ -1,8 +1,19 @@
 import { Router } from 'express';
 import { v4 as uuidv4 } from 'uuid';
+import { rateLimit } from 'express-rate-limit';
 import { getDb } from '../config/database.js';
 import { authenticateToken } from '../middleware/auth.js';
 import { sendFederationInviteEmail } from '../config/mailer.js';
+
+// M13: rate limit the unauthenticated federation receive endpoint
+const federationReceiveLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many federation requests. Please try again later.' },
+});
+
 import {
     getFederationDomain,
     isFederationEnabled,
@@ -116,7 +127,7 @@ router.post('/invite', authenticateToken, async (req, res) => {
 });
 
 // ── POST /api/federation/receive — Accept incoming invitation from remote ───
-router.post('/receive', async (req, res) => {
+router.post('/receive', federationReceiveLimiter, async (req, res) => {
     try {
         if (!isFederationEnabled()) {
             return res.status(400).json({ error: 'Federation is not configured on this instance' });