UNPKG

express-rate-limit

Version:

Basic IP rate-limiting middleware for Express. Use to limit repeated requests to public APIs and/or endpoints such as password reset.

github.com/nfriedly/express-rate-limit

nfriedly/express-rate-limit

277 lines (186 loc) 9.26 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
# Express Rate Limit [![Build Status](https://secure.travis-ci.org/nfriedly/express-rate-limit.png?branch=master)](http://travis-ci.org/nfriedly/express-rate-limit) [![NPM version](http://badge.fury.io/js/express-rate-limit.png)](https://npmjs.org/package/express-rate-limit "View this project on NPM") [![Dependency Status](https://david-dm.org/nfriedly/express-rate-limit.png?theme=shields.io)](https://david-dm.org/nfriedly/express-rate-limit) [![Development Dependency Status](https://david-dm.org/nfriedly/express-rate-limit/dev-status.png?theme=shields.io)](https://david-dm.org/nfriedly/express-rate-limit#info=devDependencies) Basic rate-limiting middleware for Express. Use to limit repeated requests to public APIs and/or endpoints such as password reset. Plays nice with [express-slow-down](https://www.npmjs.com/package/express-slow-down). Note: this module does not share state with other processes/servers by default. If you need a more robust solution, I recommend using an external store: ### Stores - Memory Store _(default, built-in)_ - stores hits in-memory in the Node.js process. Does not share state with other servers or processes. - [Redis Store](https://npmjs.com/package/rate-limit-redis) - [Memcached Store](https://npmjs.org/package/rate-limit-memcached) - [Mongo Store](https://www.npmjs.com/package/rate-limit-mongo) ### Alternate Rate-limiters This module was designed to only handle the basics and didn't even support external stores initially. These other options all are excellent pieces of software and may be more appropriate for some situations: - [rate-limiter-flexible](https://www.npmjs.com/package/rate-limiter-flexible) - [express-brute](https://www.npmjs.com/package/express-brute) - [rate-limiter](https://www.npmjs.com/package/express-limiter) ## Install ```sh $ npm install --save express-rate-limit ``` ## Usage For an API-only server where the rate-limiter should be applied to all requests: ```js const rateLimit = require("express-rate-limit"); app.enable("trust proxy"); // only if you're behind a reverse proxy (Heroku, Bluemix, AWS ELB, Nginx, etc) const limiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100 // limit each IP to 100 requests per windowMs }); // apply to all requests app.use(limiter); ``` For a "regular" web server (e.g. anything that uses `express.static()`), where the rate-limiter should only apply to certain requests: ```js const rateLimit = require("express-rate-limit"); app.enable("trust proxy"); // only if you're behind a reverse proxy (Heroku, Bluemix, AWS ELB, Nginx, etc) const apiLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100 }); // only apply to requests that begin with /api/ app.use("/api/", apiLimiter); ``` Create multiple instances to apply different rules to different routes: ```js const rateLimit = require("express-rate-limit"); app.enable("trust proxy"); // only if you're behind a reverse proxy (Heroku, Bluemix, AWS ELB, Nginx, etc) const apiLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100 }); app.use("/api/", apiLimiter); const createAccountLimiter = rateLimit({ windowMs: 60 * 60 * 1000, // 1 hour window max: 5, // start blocking after 5 requests message: "Too many accounts created from this IP, please try again after an hour" }); app.post("/create-account", createAccountLimiter, function(req, res) { //... }); ``` A `req.rateLimit` property is added to all requests with the `limit`, `current`, and `remaining` number of requests for usage in your application code and, if the store provides it, a `resetTime` Date object. ## Configuration options ### max Max number of connections during `windowMs` milliseconds before sending a 429 response. May be a number, or a function that returns a number or a promise. Defaults to `5`. Set to `0` to disable. ### windowMs How long in milliseconds to keep records of requests in memory. Defaults to `60000` (1 minute). ### message Error message sent to user when `max` is exceeded. May be a String, JSON object, or any other value that Express's [req.send](https://expressjs.com/en/4x/api.html#res.send) supports. Defaults to `'Too many requests, please try again later.'` ### statusCode HTTP status code returned when `max` is exceeded. Defaults to `429`. ### headers Enable headers for request limit (`X-RateLimit-Limit`) and current usage (`X-RateLimit-Remaining`) on all responses and time to wait before retrying (`Retry-After`) when `max` is exceeded. Defaults to `true`. ### keyGenerator Function used to generate keys. Defaults to req.ip: ```js function (req /*, res*/) { return req.ip; } ``` ### handler The function to handle requests once the max limit is exceeded. It receives the request and the response objects. The "next" param is available if you need to pass to the next middleware. The`req.rateLimit` object has `limit`, `current`, and `remaining` number of requests and, if the store provides it, a `resetTime` Date object. Defaults to: ```js function (req, res, /*next*/) { res.status(options.statusCode).send(options.message); } ``` ### onLimitReached Function that is called the first time a user hits the rate limit within a given window. The`req.rateLimit` object has `limit`, `current`, and `remaining` number of requests and, if the store provides it, a `resetTime` Date object. Default is an empty function: ```js function (req, res, options) { /* empty */ } ``` ### skipFailedRequests When set to `true`, failed requests won't be counted. Request considered failed when: - response status >= 400 - requests that were cancelled before last chunk of data was sent (response `close` event triggered) - response `error` event was triggrered by response (Technically they are counted and then un-counted, so a large number of slow requests all at once could still trigger a rate-limit. This may be fixed in a future release.) Defaults to `false`. ### skipSuccessfulRequests When set to `true` successful requests (response status < 400) won't be counted. (Technically they are counted and then un-counted, so a large number of slow requests all at once could still trigger a rate-limit. This may be fixed in a future release.) Defaults to `false`. ### skip Function used to skip requests. Returning `true` from the function will skip limiting for that request. Defaults to always `false` (count all requests): ```js function (/*req, res*/) { return false; } ``` ### store The storage to use when persisting rate limit attempts. By default, the [MemoryStore](lib/memory-store.js) is used. Available data stores are: - MemoryStore: _(default)_ Simple in-memory option. Does not share state when app has multiple processes or servers. - [rate-limit-redis](https://npmjs.com/package/rate-limit-redis): A [Redis](http://redis.io/)-backed store, more suitable for large or demanding deployments. - [rate-limit-memcached](https://npmjs.org/package/rate-limit-memcached): A [Memcached](https://memcached.org/)-backed store. You may also create your own store. It must implement the following in order to function: ```js function SomeStore() { /** * Increments the value in the underlying store for the given key. * @method function * @param {string} key - The key to use as the unique identifier passed * down from RateLimit. * @param {Function} cb - The callback issued when the underlying * store is finished. * * The callback should be called with three values: * - error (usually null) * - hitCount for this IP * - resetTime - JS Date object (optional, but necessary for X-RateLimit-Reset header) */ this.incr = function(key, cb) { // increment storage cb(null, hits, resetTime); }; /** * Decrements the value in the underlying store for the given key. Used only when skipFailedRequests is true * @method function * @param {string} key - The key to use as the unique identifier passed * down from RateLimit. */ this.decrement = function(key) { // decrement storage }; /** * Resets a value with the given key. * @method function * @param {[type]} key - The key to reset */ this.resetKey = function(key) { // remove key from storage or reset it to 0 }; } ``` ## Instance API ### instance.resetKey(key) Resets the rate limiting for a given key. (Allow users to complete a captcha or whatever to reset their rate limit, then call this method.) ## v3 Changes - Removed `delayAfter` and `delayMs` options; they were moved to a new module: [express-slow-down](https://npmjs.org/package/express-slow-down). - Simplified the default `handler` function so that it no longer changes the response format. Now uses [res.send](https://expressjs.com/en/4x/api.html#res.send). - `onLimitReached` now only triggers once for a given ip and window. only `handle` is called for every blocked request. ## v2 Changes v2 uses a less precise but less resource intensive method of tracking hits from a given IP. v2 also adds the `limiter.resetKey()` API and removes the `global: true` option. ## License MIT © [Nathan Friedly](http://nfriedly.com/)