UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.

aikido.dev/zen

AikidoSec/firewall-node

63 lines (62 loc) 2.77 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.shouldRateLimitRequest = shouldRateLimitRequest; const Context_1 = require("../agent/Context"); const isLocalhostIP_1 = require("../helpers/isLocalhostIP"); const getRateLimitedEndpoint_1 = require("./getRateLimitedEndpoint"); // eslint-disable-next-line max-lines-per-function function shouldRateLimitRequest(context, agent) { // Do not consume rate limit for the same request a second time // (Might happen if the user adds the middleware multiple times) if (context.consumedRateLimit) { return { block: false }; } // We want to count the request only once (0, Context_1.updateContext)(context, "consumedRateLimit", true); const endpoint = (0, getRateLimitedEndpoint_1.getRateLimitedEndpoint)(context, agent.getConfig()); if (!endpoint) { return { block: false }; } const isProduction = process.env.NODE_ENV === "production"; // Allow requests from localhost in development to be rate limited // In production, we don't want to rate limit localhost const isFromLocalhostInProduction = context.remoteAddress && (0, isLocalhostIP_1.isLocalhostIP)(context.remoteAddress) && isProduction; // Allow requests from allowed IPs, e.g. never rate limit office IPs const isBypassedIP = context.remoteAddress && agent.getConfig().isBypassedIP(context.remoteAddress); if (isFromLocalhostInProduction || isBypassedIP) { return { block: false }; } const { maxRequests, windowSizeInMS } = endpoint.rateLimiting; if (context.rateLimitGroup) { const allowed = agent .getRateLimiter() .isAllowed(`${endpoint.method}:${endpoint.route}:group:${context.rateLimitGroup}`, windowSizeInMS, maxRequests); if (!allowed) { return { block: true, trigger: "group", endpoint }; } // Do not check IP or User rate limit if rateLimitGroup is set return { block: false }; } if (context.user) { const allowed = agent .getRateLimiter() .isAllowed(`${endpoint.method}:${endpoint.route}:user:${context.user.id}`, windowSizeInMS, maxRequests); if (!allowed) { return { block: true, trigger: "user", endpoint }; } // Do not check IP rate limit if user is set return { block: false }; } if (context.remoteAddress) { const allowed = agent .getRateLimiter() .isAllowed(`${endpoint.method}:${endpoint.route}:ip:${context.remoteAddress}`, windowSizeInMS, maxRequests); if (!allowed) { return { block: true, trigger: "ip", endpoint }; } } return { block: false }; }