Norwegian Parcel Mail

    adonis-rate-limiter

    0.1.0 • Public • Published

    adonis-rate-limiter

    Build Status dependencies Status devDependencies Status

    Rate limiter for AdonisJs framework using Redis.

    Installation

    npm install adonis-rate-limiter --save
    

    After installation, you need to register the provider and an optional alias inside bootstrap/app.js file.

    // bootstrap/app.js
     
    const providers = [
      ...,
      'adonis-rate-limiter/providers/RateLimiterProvider'
    ]
     
    const aliases = [
      ...,
      RateLimiter: 'Adonis/Addons/RateLimiter',
    ]

    Usage

    Rate limit a specific action

    Use the RateLimiter provider to limit an action for a given subject (eg. IP address, user id) and period.

    The following example mitigates brute force attacks by limiting the number of login attempts for an IP address to 6 attempts per minute and 30 attempts per hour.

    // app/Http/Controllers/AuthController.js
     
    const RateLimiter = use('RateLimiter')
     
    class AuthController {
     
      * login (request, response) {
        const ipAddress = request.request.socket.remoteAddress
        yield RateLimiter.perform(ipAddress, 'login-min', 6, 60)
        yield RateLimiter.perform(ipAddress, 'login-hr', 30, 3600)
        
        ...
      }
    }

    If the subject exceeds the maximum number a RateLimitExceededException is thrown. The exception contains these properties:

    • message: The action key in the format {key}-rate-limit-exceeded, eg. login-min-rate-limit-exceeded
    • secondsToWait: The number of seconds the subject has to wait until it can perform the action again
    • status: 429 (HTTP status code for too many requests)

    You can conveniently handle this exception in your HTTP exception handler like this:

      RateLimitExceededException: function (error, request, response) {
        const status = error.status || 429
        const message = error.message || 'Rate limit exceeded'
        return { status, message }
      }

    Have a look at app/Services/ExceptionParser.js of the Adonis Rally project.

    Auto IP ban

    The following middleware automatically blocks an IP address after a number of requests that resulted in a response status code equal to or above 400.

    // app/Http/Middleware/AutoIpBan.js
     
    const RateLimiter = use('RateLimiter')
     
    class AutoIpBan {
      * handle (request, response, next) {
        const ipAddress = request.request.socket.remoteAddress
        const minuteLimiter = RateLimiter.make(ipAddress, 'auto-ip-ban-ms', 10, 60)
        const hourLimiter = RateLimiter.make(ipAddress, 'auto-ip-ban-hr', 60, 3600)
     
        if ((yield minuteLimiter.isUnderLimit()) && (yield hourLimiter.isUnderLimit())) {
          yield next
        } else {
          response.tooManyRequests({ status: 429, message: 'Too many suspicious requests' })
          return
        }
     
        if (response.response.statusCode >= 400) {
          yield minuteLimiter.add()
          yield hourLimiter.add()
        }
      }
    }
     
    module.exports = AutoIpBan

    You might want to add this middleware to your list of the global middlware just before Cors:

    // app/Http/kernel.js
     
    const globalMiddleware = [
      'App/Http/Middleware/AutoIpBan',
      'Adonis/Middleware/Cors',
      ...
    ]

    Copyright and License

    Copyright (c) 2016 Reto Inderbitzin, MIT License

    Install

    npm i adonis-rate-limiter

    DownloadsWeekly Downloads

    4

    Version

    0.1.0

    License

    MIT

    Last publish

    Collaborators

    • indr