UNPKG

hapi-rate-limitor

Version:

Rate limiting for hapi/hapi.js to prevent brute-force attacks

github.com/futurestudio/hapi-rate-limitor

futurestudio/hapi-rate-limitor

121 lines (93 loc) 2.69 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
'use strict' const Test = require('ava') const Hapi = require('@hapi/hapi') const pEvent = require('p-event') const EventEmitter = require('events') const rejectIn1Sec = new Promise((resolve, reject) => { setTimeout(reject, 1000, new Error('rejected after 1s')) }) Test('falls back to server.events by default', async (t) => { const server = new Hapi.Server() await server.register({ plugin: require('../lib'), options: { namespace: `events-${Date.now()}` } }) await server.initialize() server.route({ method: 'GET', path: '/', handler: () => 'server.events is the emitter' }) const request = { url: '/', method: 'GET' } const events = [] server.events.on('rate-limit:attempt', request => events.push(request)) server.events.on('rate-limit:in-quota', request => events.push(request)) server.events.on('rate-limit:exceeded', request => events.push(request)) const response = await server.inject(request) t.is(response.statusCode, 200) t.is(events.length, 2) // should not contain the exceeded event }) Test('uses custom event emitter', async (t) => { const server = new Hapi.Server() const emitter = new EventEmitter() await server.register({ plugin: require('../lib'), options: { emitter, namespace: `events-${Date.now()}` } }) await server.initialize() server.route({ method: 'GET', path: '/', handler: () => 'custom event emitter' }) const request = { url: '/', method: 'GET' } const attempt = pEvent(emitter, 'rate-limit:attempt') const inQuota = pEvent(emitter, 'rate-limit:in-quota') const response = await server.inject(request) t.is(response.statusCode, 200) t.truthy(await attempt) t.truthy(await inQuota) }) Test('fires exceeded event', async (t) => { const server = new Hapi.Server() const emitter = new EventEmitter() await server.register({ plugin: require('../lib'), options: { max: 1, emitter, namespace: `events-${Date.now()}` } }) await server.initialize() server.route({ method: 'GET', path: '/', handler: () => 'custom event emitter' }) const request = { url: '/', method: 'GET' } const attempt = pEvent(emitter, 'rate-limit:attempt') const exceeded = pEvent(emitter, 'rate-limit:exceeded') // first request won’t exceed the rate limit const response = await server.inject(request) t.is(response.statusCode, 200) t.truthy(await attempt) await t.throwsAsync(Promise.race([exceeded, rejectIn1Sec])) // second request exceeds the limit await server.inject(request) t.truthy(Promise.race([exceeded, rejectIn1Sec])) })