An hapi.js plugin that limits the number of failed attempts, based on IP and called route, using Redis to store attempts count. Useful for preventing brute force attacks.

npm install --save hapi-attempts-limiter

You need to register the plugin in you hapi server instance, providing some configuration attributes:

• redisClient: an instance of Redis
• namespace: a prefix for the items saved to Redis by the plugin (optional)
• errorMessage: a function that can be used to generate a custom error message (optional). Read the dedicated chapter for details.
• global.limit: the number of maximum failed attempts in the current time window (default: 5)
• global.duration: the length of the time window in seconds (default: 60 seconds)
• global.genericRateLimiter: a flag to transform the plugin in a generic rate limiter (default: false)
• global.trustProxy: a flag to use the latest IP address of x-forwarded-for header (AWS ELB format), if present (default: false)

server.register({
  register: require('hapi-attempts-limiter'),
  options: {
    namespace: 'FOO',
    redisClient: yourRedisInstance
    global: {
      limit: 5,
      duration: 60
    }
  }
});

Starting from the first failed attempt, the plugin will exposed three headers:

• X-RateLimit-Limit: the number of maximum failed attempts in the current time window
• X-RateLimit-Remaining: the number of remaining failed attempts in the current time window
• X-RateLimit-Reset: the seconds until the expiration of the current time window

If you are working with cross-domain requests using CORS protocol and you want to access X-RateLimit-* headers from your client, you have to expose them by adjusting the route configuration (or the global one):

cors: {
    origin: ['*'],
    additionalExposedHeaders: ['X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-RateLimit-Reset']
}

Additionally, you can define for every route a custom limit and a custom duration. You just need to add some parameters to your route configuration object:

{
  method: 'POST',
  path: '/login',
  handler: loginUser,
  config: {
    description: 'User login route',
    plugins: {
      'hapi-attempts-limiter': {
          limit: 3, // a custom limit
          duration: 120 // a custom duration, in seconds
      }
    }
  }
}
//
{
  method: 'POST',
  path: '/heavy',
  handler: heavyRouteHandler,
  config: {
    description: 'Route to be called in moderation',
    plugins: {
      'hapi-attempts-limiter': {
          genericRateLimiter: true
      }
    }
  }
}

You can specify a custom error message by defining the function errorMessage in the plugin settings.

server.register({
  register: require('hapi-attempts-limiter'),
  options: {
    namespace: 'FOO',
    redisClient: yourRedisInstance,
    errorMessage: function (limit) {
      /*
       * Limit is an object that contains the following properties:
       * limit.remaining: the number of remaining attempts (0, in case of error)
       * limit.total: the number of available attempts
       * limit.duration: the length of the time window
       * limit.reset: the remaining time to the time window expiration
       *
       * You can return a Boom instance, an Error instance or a string that will be converted to a Boom 429 error.
      */
      return Boom.tooManyRequests('Rate limit exceeded, retry in ' + limit.reset + ' seconds');
    }
    global: {
      limit: 5,
      duration: 60
    }
  }
});

Happy coding!