Doing conditional rendering depending on logged in or not was annoying. I didn't want my nav bar to update immediately after signining in as I wanted to have the page redirect on signin, but it would change the navbar immediately, which led to to using a timeout. Also ended up using localStorage so my "isSignedIn" stage for navbar conditional render would have the same state on refresh.
I didn't really have any hiccups when adding logins and authorization. Just had to fix some of my endpoints to check for the cookie when making certain POST/DELETE requests.
When doing a security audit on my site, I did not notice any XSS or CSRF vulnerabilities. I would attribute this to the Helmet package, along with the strict Samesite cookie option used on my server. Rate limiting was added via application code, specifically with express-rate-limit. The HTTP headers set was the ones Helmet sets by default. One of them was the Content-Security-Policy header, which protects against things like cross-site scripting attacks by controlling what resources can be loaded, and the URLs they are loaded from. Another Helmet had by default is the Strict-Transport-Security header used to prefer HTTPS over HTTP, useful to ensure POST requests are encrypted.