Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Node js Rate Limit

I am trying to set API rate limit on my app using express-rate-limit. It works if it is from the same IP address. I have an error message once it reaches a max of 5. However, it fails when it is tried from different IP address/computer. Any idea how I can fix this? I tried using 127.0.0.1 to generate a key regardless of which IP address but that failed as well.

Below is my code:

// Rate Limit
var RateLimit = require('express-rate-limit');

app.enable('trust proxy');

var limiter = new RateLimit({
  windowMs: 365*24*60*60*1000, // 1 year
  max: 5, // limit each IP to 1 requests per windowMs
  delayMs: 365*24*60*60*1000, // delaying - 365 days until the max limit is reached
  message: "Sorry, the maximum limit of 50 letters sent has been reached. Thank you for participating!",
  keyGenerator: function (req) {
    req.ip = "127.0.0.1";
    // req.ip = "ip address";
    return req.ip;
  }
});

app.use('/api/letter', limiter); 
like image 578
Mihir Patel Avatar asked Feb 26 '17 13:02

Mihir Patel


People also ask

CAN node js handle million users?

js as a platform has a few limitations on its own that we have to accept. However, with proper logging, monitoring, in-depth understanding of platforms and tooling you can scale & serve millions of customers in real-time.

How do you implement rate limiting in API in node JS?

use('/api/', apiLimiter) const createAccountLimiter = rateLimit({ windowMs: 60 * 60 * 1000, // 1 hour max: 5, // Limit each IP to 5 create account requests per `window` (here, per hour) message: 'Too many accounts created from this IP, please try again after an hour', standardHeaders: true, // Return rate limit info in ...

What is a typical API rate limit?

Limits are placed on the number of API requests you may make using your API key. Rate limits may vary by service, but the defaults are: Hourly Limit: 1,000 requests per hour.

How do I limit the number of node JS requests?

const limiter = rateLimit({ windowMs: 1 * 60 * 1000, // 1 minutes max: 500, // limit each IP to 500 requests per windowMs }); app. use(limiter); The above configuration will limit the number of requests to 500 requests per minute for an IP address.


1 Answers

The memory store implementation used by express-rate-limit uses setTimeout() to clear the store after windowMs milliseconds.

According to the Node.js documentation for setTimeout(),

When delay is larger than 2147483647 or less than 1, the delay will be set to 1.

In your case, the delay is larger than that amount, namely 31536000000 milliseconds. This results in the store never storing any data for more than 1ms.

To solve this, you probably have to implement your own store (see the store option), or perhaps look for an alternative rate limiter that doesn't have this limit (it seems to me that with such large expiry times, you'll need some sort of persistent storage anyway).

like image 175
robertklep Avatar answered Sep 21 '22 04:09

robertklep