UNPKG

@jwerre/rate-limit-redis

Version:

A Redis based rate limiter for Node.js and Express.

github.com/jwerre/rate-limit-redis/blob/master/README.md

jwerre/rate-limit-redis

177 lines (133 loc) 5.07 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
# Rate Limit Redis This module is a Redis based rate limiter for Node.js and Express. It is intended to be used where your web severs are distributed across multiple systems or nodes (such as in load balancing) and there needs to be a centralized location to store request counts. ## How it works 1. When a request is made, a new temporary record is stored in Redis. This record is defined by the IP address of the request and will expire. 1. If a second request is made before the first expires, the record count is incremented. 1. For each request made within the rate limit window, the record is incremented. 1. If the record count reaches the max limit before expiring, then a 429 error status is returned. ## Install ```bash npm install --save @jwerre/rate-limit-redis ``` ## Usage ```js import { rateLimitRedis } from '@jwerre/rate_limit_redis'; import express from 'express'; const app = express(); const rateLimitArgs = { redis: { url: 'redis://127.0.0.1:6379', }, timeframe: 60, limit: 120, headers: true, whitelist: [ '192.168.20.20' ], customRoutes: [ { path: '/stingy/rate/limit', method: 'POST', timeframe: 30, limit: 5, }, { path: '/loose/rate/limit', method: 'PUT', timeframe: 120, limit: 500, { path: /^\/regex\/[0-9]{5,10}\/?$/, method: 'GET', timeframe: 60, limit: 25, }, { path: '/ignore/rate/limit', method: 'GET', ignore: true }, ] }; // use trust proxy if behind load balancer app.enable('trust proxy'); app.use( rateLimitRedis(rateLimitArgs) ); app.get('/', (req, res) => { res.send('OK') ); }); const server = app.listen( 8080 ); server.on('error', () => { // rateLimitRedis is added to Node's global scope // (https://nodejs.org/docs/latest-v14.x/api/globals.html) so you can close // the connection properly global.rateLimitRedis.disconnect(); }); ``` ### Alternate Usage If you need a little more control, you can instantiate the `RateLimitRedis` class yourself. ```js import {RateLimitRedis} from '@jwerre/rate-limit-redis'; const rateLimitRedis = new RateLimitRedis({ redis: { // see: https://github.com/redis/node-redis/blob/master/docs/client-configuration.md socket: { host: 'localhost', port: 6379, } }, timeframe: 60, limit: 120, autoConnect: false, }); rateLimitRedis.connect().then( () => { rateLimitRedis.process(<SOME_HTTP_REQUEST>) .then((res) => { console.log(res); }) .catch((err) => { console.error(err); }) }); ``` ## Arguments | Data Type | Argument | Description | | -- | -- | -- | | `Object` | `redis` | Redis options [https://github.com/redis/node-redis/blob/master/docs/client-configuration.md](more...) | | `String` | `namespace` | String to prepend to the Redis key e.g.: 'rate-limit:\<USER-IP\>'. | | `Number` | `timeframe` | Rate limit window in seconds. | | `Number` | `limit` | Maximum amount of requests allowed within timeframe. | | `Boolean` | `headers` | Whether to set rate limit headers or not. | | `Boolean` | `autoConnect` | Whether to automatically connect to redis before processing http request (default: true). | | `[String]` | `whitelist` | A list of IP addresses where rate limit should not apply. *This may be useful if you have automated tasks, probes or health checks coming from known IPs and you don't want to apply a rate limit to them.* | | `[Object]` | `customRoutes` | A list of routes where you can set custom rate limits. This will create a new rate limit with a unique key based on the IP, method and path. | | `String\|RegExp`| `customRoutes.path` | The path to ignore (required). *Note: Do not user trailing slash.*| | `String` | `customRoutes.method` | The request method of the ignored path (default: `get`). | | `Number` | `customRoutes.timeframe` | Rate limit window in seconds for custom route. | | `Number` | `customRoutes.limit` | Maximum amount of requests allowed within timeframe for custom route. | | `Boolean` | `customRoutes.ignore` | Rate limit request to this custom route will be ignored. *Be careful with this one.* | ## Methods ### `process(request)` Process HTTP request. #### Arguments [HTTP request](https://nodejs.org/docs/latest-v14.x/api/http.html#http_class_http_clientrequest): The http request to rate limit #### Returns `Promise`: Object containing rate limit information e.g.: ```js { status: 200, limit: 100, timeframe: 2, remaining: 99, retry: Number // if status is 429 error: Error // if status is 429 } ``` ### `disconnect()` Close redis connection. #### Returns `Promise` ## Accuracy This module uses [Redis Expire](https://redis.io/commands/expire) to manage rate limit requests. If using Redis 2.4 or lower, accuracy could be as much as 1 second off. ## Testing Ensure Node.js is installed and Redis is running on default port 6737. ```sh docker run -d --name redis -p 6379:6379 redis:latest # if you don't have redis running locally already npm install npm test ```