animir / node-rate-limiter-flexible Goto Github PK

Hello,

What is right way to get current number of points by key?
In my opinion, would be great to have a special getter for that.
I want to send remained points via special HTTP header.
At the moment I'm using RateLimiterMemory.

Good job and thank you.

I'd like to preset the user a timer with the remaining time, is that possible?

Hello,

So it seems in the library code that we key only off req.ip. There are some cases where that value can be spoofed if you are running Express behind a proxy via the X-Forwarded-For header if trust-proxy is set to true for the app. I was wondering if it is possible for a consumer of this library to pass an ip value in, and fall back to req.ip if nothing is passed in.

LOC: https://github.com/animir/node-rate-limiter-flexible/blob/master/lib/ExpressBruteFlexible.js#L148

Hi,

So when I print out the object returned from rateLimiterRedis.consume I get:

{
"_remainingPoints": 0,
"_msBeforeNext": 290093,
"_consumedPoints": 11,
"_isFirstInDuration": false
}

i.e. the attributes have a trailing underscore. Is this right? cause when I checked the api documentation,
the attributes do not have a trailing underscore.

From the api documentaion:
RateLimiterRes object
Both Promise resolve and reject returns object of RateLimiterRes class if there is no any error. Object attributes:

RateLimiterRes = {
msBeforeNext: 250, // Number of milliseconds before next action can be done
remainingPoints: 0, // Number of remaining points in current duration
consumedPoints: 5, // Number of consumed points in current duration
isFirstInDuration: false, // action is first in current duration
}

When installing this module I have a node gyp issue

$ npm install --save rate-limiter-flexible

> [email protected] install /node_modules/ursa
> node-gyp rebuild

  CXX(target) Release/obj.target/ursaNative/src/ursaNative.o
../src/ursaNative.cc:389:13: error: member access into incomplete type 'RSA' (aka 'rsa_st')
    obj->rsa->n = BN_bin2bn(data_n, n_length, NULL);
            ^
/Users/loretoparisi/.node-gyp/10.1.0/include/node/openssl/ossl_typ.h:110:16: note: forward declaration of 'rsa_st'
typedef struct rsa_st RSA;
               ^
../src/ursaNative.cc:390:13: error: member access into incomplete type 'RSA' (aka 'rsa_st')
    obj->rsa->e = BN_bin2bn(data_e, e_length, NULL);
            ^
/Users/loretoparisi/.node-gyp/10.1.0/include/node/openssl/ossl_typ.h:110:16: note: forward declaration of 'rsa_st'
typedef struct rsa_st RSA;
               ^
../src/ursaNative.cc:407:35: error: member access into incomplete type 'RSA' (aka 'rsa_st')
    if ((obj == NULL) || (obj->rsa->d != NULL)) {
                                  ^
/Users/loretoparisi/.node-gyp/10.1.0/include/node/openssl/ossl_typ.h:110:16: note: forward declaration of 'rsa_st'
typedef struct rsa_st RSA;
               ^
../src/ursaNative.cc:536:34: error: member access into incomplete type 'RSA' (aka 'rsa_st')
    bignumToBuffer(args, obj->rsa->e);
                                 ^
/Users/loretoparisi/.node-gyp/10.1.0/include/node/openssl/ossl_typ.h:110:16: note: forward declaration of 'rsa_st'
typedef struct rsa_st RSA;
               ^
../src/ursaNative.cc:552:34: error: member access into incomplete type 'RSA' (aka 'rsa_st')
    bignumToBuffer(args, obj->rsa->d);
                                 ^
/Users/loretoparisi/.node-gyp/10.1.0/include/node/openssl/ossl_typ.h:110:16: note: forward declaration of 'rsa_st'
typedef struct rsa_st RSA;
               ^
../src/ursaNative.cc:567:34: error: member access into incomplete type 'RSA' (aka 'rsa_st')
    bignumToBuffer(args, obj->rsa->n);
                                 ^
/Users/loretoparisi/.node-gyp/10.1.0/include/node/openssl/ossl_typ.h:110:16: note: forward declaration of 'rsa_st'
typedef struct rsa_st RSA;
               ^
../src/ursaNative.cc:1218:17: error: member access into incomplete type 'RSA' (aka 'rsa_st')
        obj->rsa->n = modulus;
                ^
/Users/loretoparisi/.node-gyp/10.1.0/include/node/openssl/ossl_typ.h:110:16: note: forward declaration of 'rsa_st'
typedef struct rsa_st RSA;
               ^
../src/ursaNative.cc:1219:17: error: member access into incomplete type 'RSA' (aka 'rsa_st')
        obj->rsa->e = exponent;
                ^
/Users/loretoparisi/.node-gyp/10.1.0/include/node/openssl/ossl_typ.h:110:16: note: forward declaration of 'rsa_st'
typedef struct rsa_st RSA;
               ^
../src/ursaNative.cc:1220:17: error: member access into incomplete type 'RSA' (aka 'rsa_st')
        obj->rsa->p = p;
                ^
/Users/loretoparisi/.node-gyp/10.1.0/include/node/openssl/ossl_typ.h:110:16: note: forward declaration of 'rsa_st'
typedef struct rsa_st RSA;
               ^
../src/ursaNative.cc:1221:17: error: member access into incomplete type 'RSA' (aka 'rsa_st')
        obj->rsa->q = q;
                ^
/Users/loretoparisi/.node-gyp/10.1.0/include/node/openssl/ossl_typ.h:110:16: note: forward declaration of 'rsa_st'
typedef struct rsa_st RSA;
               ^
../src/ursaNative.cc:1222:17: error: member access into incomplete type 'RSA' (aka 'rsa_st')
        obj->rsa->dmp1 = dp;
                ^
/Users/loretoparisi/.node-gyp/10.1.0/include/node/openssl/ossl_typ.h:110:16: note: forward declaration of 'rsa_st'
typedef struct rsa_st RSA;
               ^
../src/ursaNative.cc:1223:17: error: member access into incomplete type 'RSA' (aka 'rsa_st')
        obj->rsa->dmq1 = dq;
                ^
/Users/loretoparisi/.node-gyp/10.1.0/include/node/openssl/ossl_typ.h:110:16: note: forward declaration of 'rsa_st'
typedef struct rsa_st RSA;
               ^
../src/ursaNative.cc:1224:17: error: member access into incomplete type 'RSA' (aka 'rsa_st')
        obj->rsa->iqmp = inverseQ;
                ^
/Users/loretoparisi/.node-gyp/10.1.0/include/node/openssl/ossl_typ.h:110:16: note: forward declaration of 'rsa_st'
typedef struct rsa_st RSA;
               ^
../src/ursaNative.cc:1225:17: error: member access into incomplete type 'RSA' (aka 'rsa_st')
        obj->rsa->d = d;
                ^
/Users/loretoparisi/.node-gyp/10.1.0/include/node/openssl/ossl_typ.h:110:16: note: forward declaration of 'rsa_st'
typedef struct rsa_st RSA;
               ^
../src/ursaNative.cc:1270:17: error: member access into incomplete type 'RSA' (aka 'rsa_st')
        obj->rsa->n = modulus;
                ^
/Users/loretoparisi/.node-gyp/10.1.0/include/node/openssl/ossl_typ.h:110:16: note: forward declaration of 'rsa_st'
typedef struct rsa_st RSA;
               ^
../src/ursaNative.cc:1271:17: error: member access into incomplete type 'RSA' (aka 'rsa_st')
        obj->rsa->e = exponent;
                ^
/Users/loretoparisi/.node-gyp/10.1.0/include/node/openssl/ossl_typ.h:110:16: note: forward declaration of 'rsa_st'
typedef struct rsa_st RSA;
               ^
16 errors generated.
make: *** [Release/obj.target/ursaNative/src/ursaNative.o] Error 1

What is this ursaNative dependency?

Thank you.

Memcache is widely used and fast in-memory key-value storage.
It would be good to have it, I believe, it should be the same fast as Redis.

Read Contribution notes before you start.

I was thinking if we could add a dump/restore functionality to this module.

Due to the nature of nodejs process, if it goes down we loose everything stored in the in-memory db.

What are your thoughts?

For example, if I use different IPs via proxy service to attack a public API, can this package shield this kind of attack?

A reference implementation example: https://eggjs.org/en/tutorials/proxy.html#configmaxproxycount

Thanks.

Hi!

I'm trying to use this package to limit requests number but I'm having some troubles with Mongoose connections.

The point is that I init the DB connection through a file called db.js wich is then imported in my app.js.

The fact is that the DB connection is available only after the app has been initialized but the limiter-middleware needs the connection during the app initialization.

As you can see in the following files I've stored the DB connection in a variable called _db wich is readable with the getDb() method.

But If I call the getDb() method inside the rate-limiter.js file I get an error because DB connection is not initialized yet.

I don't want to init a second connection inside ip-limiter.js file.

Have you some suggestions on how I can acheive my goal? :)

Any help would be very appreciated

--

"mongoose": "^5.5.11",
"rate-limiter-flexible": "^1.0.2"

--

app.js

// Import core packeges
const path = require('path');

// Import third-party packages
const express = require('express');

// Import custom packages
const CONFIG = require('./config/config');
const initDb = require('./db').initDb;
const getDb = require('./db').getDb;

// Import middlewares and routes
... import some middlewares and routes
const routeIPLimiterMiddleware = require('./middlewares/limiters/ip-limiter');


// Init & config express
const app = express();

// BEGIN - Middlewares and routes
... some middlewares and routes
app.use(routeIPLimiterMiddleware); // Limit request number per seconds per IP
.. some other middlewares and routes
// END - Middlewares and routes

// Connect to db
initDb(err => {
  if (err) {
    console.warn('initDb error', err);
  }
  app.listen(CONFIG.PORT, err => {
    if (err) {
      throw err;
    }
    console.log(`API Up and running on port ${CONFIG.PORT}`);
  });
});

db.js

const assert = require('assert');
const mongoose = require('mongoose');
const CONFIG = require('./config/config');

let _db;

// Get current db connection
module.exports.getDb = () => {
  assert.ok(_db, 'Db has not been initialized. Please called init first.');
  return _db;
}

// Init database connection
module.exports.initDb = (callback) => {
  if (_db) {
    return callback(null, _db);
  }

  mongoose.connect(CONFIG.DATABASE.URI, CONFIG.DATABASE.OPTIONS)
    .then(db => {
      _db = db;
      return callback(null, _db);
    })
    .catch(err => {
      return callback(err);
    });
}

ip-limiter.js

const getDb = require('../../db').getDb;
const { RateLimiterMongo  } = require('rate-limiter-flexible');
const CONFIG = require('../../config/config');

const mongoConn = getDb();

const ipRateLimiterOptions = {
  storeClient: mongoConn,
  points: 1, // Maximum number of points can be consumed over duration
  duration: 2, // Number of seconds before consumed points are reset
  dbName: CONFIG.DATABASE.NAME,
  keyPrefix: 'rl-100'
}

const rateLimiter = new RateLimiterMongo(ipRateLimiterOptions);

/**
 * Limit requests number per second per IP
 */
module.exports = (req, res, next) => {
  rateLimiter.consume(req.ip)
    .then(() => {
      next();
    })
    .catch(() => {
      res.status(429).json({
        status: false,
        message: 'Too many requests'
      });
    });
}

Is there a way to automatically revert back to RateLimiterRedis after redis connection recovers from going down?

The code below will continue to use RateLimiterMemory even after the redis connection recovers.

const redis = require('redis');
const { RateLimiterRedis, RedisLimiterMemory } = require('rate-limiter-flexible');

const redisClient = redis.createClient({
  enable_offline_queue: false,
  retry_strategy: function (options) {
    if (options.attempt > 3) { // Try to reconnect 3 times
      // This error is caught by limiter and then insurance limiter is used in this case
      return new Error('Retry time exhausted');
    }

    return 100; // Not longer than 100 * 3 = 300 ms
  }
});

const rateLimiterMemory = new RateLimiterMemory({
  points: 1,
  duration: 1
});

const rateLimiter = new RateLimiterRedis({
  redis: redisClient,
  points: 5,
  duration: 1,
  insuranceLimiter: rateLimiterMemory
});

Terminologies such as whitelist and blacklist have historical context, making their meaning unclear. A substitution for allowlist and denylist would bring more direct meaning. The same goes for isWhite and isBlack, which can be replaced by isAllowed and isDenied.

I am aware that this would represent a breaking change, but I still consider it valid. Meanwhile it is possible to correct these terminologies internally on the library.

It would be great to be able to allow further customization of points allowed instead of a sweeping value across all keys. Ex: Allow IP 1 to have 60 points over 60 seconds, but allow IP 2 to only have 30 points over 60 seconds, and allow IP 3 to have a dynamic value (like 2x IP1, or some other call back to have it externally determined), with some sort of default points if not specified. It would also be beneficial to store that in something other than memcache (redis, for example) which would allow users of the library to update/specify the points for a key after it has been deployed so it can be updated dynamically as the situations arise just by updating the distributed cache.

I imagine this would slow down each request since it would probably be 2 calls to redis, but as an opt-in capability I would be happy to accept that.

@OsoianMarcel suggested to implement black/white lists options here #4

We had decided during discussion, that black/white keys checks should be implemented as separate wrapper for the sake of clearness.

Here is example

const rl = new BlackAndWhiteListWrapper({
  limiter: anyRateLimiter,
  blackList: [],
  whiteList: [],
  isBlack: () => {},
  isWhite: () => {},
});

Is there any way to implement a leaky bucket algorithm with bucket size in order to allow burst requests?

For example a bucket of size 10 with 2 req/s leak rate allows up to 10 burst requests which fill the bucket and then only 2 req/s while the bucket remains full. If there are no requests, then the bucket empties at the 2 req/s leak rate, allowing another 10 burst requests after 5 seconds.

This is the implementation of the bottleneck library: https://github.com/SGrondin/bottleneck#increase-interval

I dont know if its intentional but, msBeforeNext variable (at least in mysql version) always only looks at the duratin value (not blockDuration). Which makes "Login endpoint protection" example bugged. Because value is first checked with .get() a if there are enough consumed points response is always 429. So, basically examples block the requests according to 'duration' variable NOT 'blockDuration' variable. I am not perfectly familiar with the api yet but it should either check with consume() instead of get() should be fixed (again, not sure if its intentional). I think get() can return a flag if key is broken or not or msBeforeNext should also consider blockDuration.

This will trigger an Unhandled promise rejection when one of the promises rejects (specifically the next request after remainingPoints is 0)

There's a discussion on stackoverflow and many solutions proposed (see https://stackoverflow.com/a/54291660/3934172)

I'm not understanding the relationship between duration and blockDuration. Using the example "Login endpoint protection" in the wiki if I set my RateLimiterRedis configuration as:

const limiterConsecutiveFailsByUsernameAndIP = new RateLimiterRedis({
  storeClient: redisClient,
  keyPrefix: 'login_fail_consecutive_username_and_ip',
  points: 5,
  duration: 60 * 60 * 24 * 90, // Store number for 90 days since first fail
  blockDuration: 30
});

after 5 failed login attempts I'm locked out for 90 days-- the calculated retrySec is ~ 7776000 and any subsequent login attempts are blocked (until I delete my redis keys). I'm purposely setting the blockDuration to 30 (i.e. 30 seconds) for testing. Once it's working as expected I'll change to 1 hour (60 * 60) or something reasonable.

How do these 2 settings work together? For testing and understanding how this works I've set duration to 60 and blockDuration to 30, but only duration seems to matter and I reset 60 seconds after the first failed attempt. Once max points have been consumed in duration that appears to be it. How does blockDuration matter at all?

Observed that rate limiter is caching points consumed/remaining in redis in multiple database. There are 16 DB available in Redis and data is being cached into selected DB when data is being upsert to Redis. I would suggest their should be option to pass in which DB index should be used in Redis to maintain cache

Any thoughts on implementing the storage class for Firestore / Firebase?

This would be great for the firebase cloud functions :) since firestore is part of the package.

Would it be possible to add the toString and toJSON method signatures to the type declaration for RateLimiterRes? At the moment TypeScript complains about these two properties not being available on an instance of RateLimiterRes.

Project looks great, thanks for sharing. What advantages and disadvantages would there be to using limiting at app level and not before the app within a reverse proxy? My view is that the app is still being caught up processing the rate limiting of course and would prefer to keep this functionality in front of actual app servers. Or would this packages be used within a nodes.js reverse proxy before the application?

Hey there,

I recently started using your package and it works pretty well. However, after the server has been on for about 5–10 mins, it crashes due to invalid SQL syntax. It should be noted I'm using Sequelize.

Executing (default): DELETE FROM dashboard.rateLimiter WHERE expire < ?

My rateLimiter middleware function is shown below;

import { RateLimiterMySQL } from 'rate-limiter-flexible';

import { sequelize } from '../models';

const rateLimiter = new RateLimiterMySQL(
  {
    storeClient: sequelize,
    tableName: 'rateLimiter',
    points: 10,
    duration: 2,
  },
  err => {
    if (err) throw new Error(`Unable to connect to start Rate Limiter \n ${err}`);
  }
);

export default (req, res, next) => {
  rateLimiter
    .consume(req.connection.remoteAddress, 2)
    .then(() => {
      next();
    })
    .catch(() => {
      res.status(429).send('You are sending too many requests.');
    });
};

Hopefully you can provide a solution. :)

I have one instance of Redis, and multiple API's from different endpoints. Can I use the same Redis instance for differente backends?

This is just a starting point, don't pretend that it's a production thing

RateLimiterCluster doesn't work in app launched by PM2, since master in PM2 environment can't send messages via IPC, separate RateLimiterClusterMasterPM2 have to be implemented.

See this example: https://gist.github.com/nethoncho/b1160edacfe3e12a336c34e98f04cb2a

I'm serving with express middleware both apis and static files. I'm using the RLWrapperBlackAndWhite for filter out localhost / 127.0.0.1 calls:

const rateLimiterMemory = new RateLimiterMemory({
                  points: 11,
                duration: 1,
                execEvenly: false
            });
            const limiterWrapped = new RLWrapperBlackAndWhite({
                limiter: rateLimiterMemory,
                whiteList: ['127.0.0.1'],
                runActionAnyway: false,
            });
            const rateLimiterMiddleware = (req, res, next) => {
                limiterWrapped.consume(req.connection.remoteAddress)
                    .then(() => {
                        next();
                    })
                    .catch(_ => {
                        var errorMessage = APIHelper.createErrorMessage(429, '', '', 'Too Many Requests');
                        res.status(429).send(errorMessage);
                    });
            };
            self.app.use(rateLimiterMiddleware);

I'm serving static files as well and I often get the error

{
	message: {
		header: {
			status_code: 429
		},
		body: {
			error: {
				code: 429,
				status: 429,
				hint: "",
				description: "",
				message: "Too Many Requests"
			}
		}
	}
}

back from the limiter on these static routes

 self.app.use(express.static(path.join(__dirname, 'public')));
        self._options.staticRoutes.forEach(route=> {
            self.app.use(BASEPATH+route,express.static(path.join(__dirname, 'public')));
        });

How can I filter out the static routes from the rate limiter middleware?

When memcached is unavailable, I get "Maximum call stack size exceeded" Error on line https://github.com/animir/node-rate-limiter-flexible/blob/master/lib/RateLimiterMemcache.js#L31
called from https://github.com/animir/node-rate-limiter-flexible/blob/master/lib/RateLimiterMemcache.js#L59 .

attemptNumber is never increased, which results in never ending loop. I believe attemptNumber should be increased on this line https://github.com/animir/node-rate-limiter-flexible/blob/master/lib/RateLimiterMemcache.js#L57

Reproduction code, memcached must be unavailable

'use strict';

const {RateLimiterMemcache} = require('rate-limiter-flexible');
const Memcached = require('memcached');

const memcacheRateLimiterOpts = {
    points: 100, // 100 same events
    duration: 3600, // per 1 hour
    storeClient: new Memcached('127.0.0.1:12345', {timeout: 500, failures: 2, retries: 2})
};

const rateLimiter = new RateLimiterMemcache(memcacheRateLimiterOpts);

async function foobar() {
    await rateLimiter.consume('aaa');
}

foobar();

To reuse the same code for different endpoints it would be useful to change the key after you have initialised the rate limiter.

Current code:

const {RateLimiterPostgres} = require('rate-limiter-flexible');

const opts = {
  points: 6,
  duration: 1,
  storeClient: sequelize,
  tableName: 'RateLimit',
  keyPrefix: 'UsernameLookup'
};

const ready = (err) => {
  if (err) {
    console.error(err);
  } else {
    console.log('Created/Found table needed for rate limiting');
  }
};

const rateLimiter = new RateLimiterPostgres(opts, ready);

exports.rateLimiting = (req, res, next) => {
  rateLimiter.consume(req.ip, 1)
    .then((rateLimiterRes) => {
      next();
    })
    .catch(() => {
      res.status(429).send('Too Many Requests');
    });
};

It would be useful to change the key from within the rateLimiting function, so the same export can be used for different endpoints if required.

Example:

const {RateLimiterPostgres} = require('rate-limiter-flexible');

const opts = {
  points: 6,
  duration: 1,
  storeClient: sequelize,
  tableName: 'RateLimit',
};

const ready = (err) => {
  if (err) {
    console.error(err);
  } else {
    console.log('Created/Found table needed for rate limiting');
  }
};

const rateLimiter = new RateLimiterPostgres(opts, ready);

exports.rateLimiting = (req, res, next) => {
  if (req.path.indexOf('username') > -1 {
    rateLimiter.key = 'UsernameLookup';
  } else  if (req.path.indexOf('passwordReset') > -1 {
    rateLimiter.key = 'PasswordReset';
  }

  rateLimiter.consume(req.ip, 1)
    .then((rateLimiterRes) => {
      next();
    })
    .catch(() => {
      res.status(429).send('Too Many Requests');
    });
};

If I create a new instance of the rate limiter, will it remember past usage info (specifically, if I pass keyPrefix), or will it begin fresh and think there has been no usage so far? E.g. say I have an instance that consumes 50 points, then it gets deleted. If I create a new instance before the duration expires, will it remember that 50 points were recently consumed?

Also, does each instance create a separate connection to redis?

Basically, my use-case requires different rate-limiting configurations for each client, so if I were to use this service, I would need a different rate limiter instance for each client. This is okay if I can create/delete the instances if the data persists in redis. But if the instances cannot be deleted, I worry if each instance will have their own redis connection (which can cause issues).

We have a situation where we want to rate limit actions on individual record IDs. Rate limiter queue on top of a Redis limiter handles this job for us, but we need it to consume per record ID however current RateLimiterQueue calls consume with a hardcoded limiter name

Any chance to make _key parametric in queue constructor or a removeTokens overload with _key parameter so that we can dynamically use many granular queues over a single limiter instance?

I'm implementing rate limit functionality with RateLimiterMongo and _initCollection function throws TypeError: Cannot read property 'collection' of undefined. Changing this.client.db to this.client from rows 80 and 81 will fix the issue.

This is with MongoDB version 3.4.10.

Hello, great library btw. I just wanna if it is possible to increase the blockDuration dynamically on succeeding failures?

Given this config

const loginLimiter = new RateLimiterRedis({
  redis: redisClient,
  keyPrefix: 'login:',
  points: 5, // 5 attempts
  duration: 60 * 60 * 24, // within a day
  blockDuration: 60, // 1 min
});

I want to set the next blockDuration to 5mins if the next rate limit reset was already consumed.

Just to illustrate:

5 attempts > fail > wait for 1 min > 1 min has passed > 5 attempts > fail > wait for 5mins

Is it possible for this library?

Thanks for the help.

I've read the docs, and it seems you can pass through knex instances, but I didn't see if it supports SQLite3 - could you clarify please?

Hi, in https://github.com/animir/node-rate-limiter-flexible/wiki/Black-and-White-lists

If Key is black, consume rejected anytime.

If the key is blacklisted, is there a way to differentiate it in the RateLimiterRes object?

From what I see, if the key is blacklisted, the msBeforeNext value will be 9007199254740991 forever.

Its difficult to use this library when there are frequent updates without a changelog telling us about new features, breaking changes, etc.

Could you please consider this for future releases?

Looking at the code it appears that RateLimiterCluster accepts an insuranceLimiter and this is purely a limitation of the typings, however I wanted to check that was the case before PRing a change

Hey,

I tried to use the RateLimiterUnion class in my app but it is not exported. I am wondering if/when I can expect that to be exported?

Is there a way to share the model with mongoose? So I can create a page where I can list all current blocks (and easily remove them, if needed). Or are there any other ways to create this?

Could you maybe include https://github.com/jhurliman/node-rate-limiter in your benchmark?

I use suffixes like -dev, -test etc for my databases. When I try to initialise this library with a dbName of website-dev etc I get this error:

{ Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for 
the right syntax to use near '-dev' at line 1
    at Packet.asError (/Users/matt/dev/myapp/node_modules/mysql2/lib/packets/packet.js:714:13)
    at Query.Command.execute (/Users/matt/dev/myapp/node_modules/mysql2/lib/commands/command.js:28:22)
    at Connection.handlePacket (/Users/matt/dev/myapp/node_modules/mysql2/lib/connection.js:513:28)
    at PacketParser.onPacket (/Users/matt/dev/myapp/node_modules/mysql2/lib/connection.js:81:16)
    at PacketParser.executeStart (/Users/matt/dev/myapp/node_modules/mysql2/lib/packet_parser.js:76:14)
    at Socket.<anonymous> (/Users/matt/dev/myapp/node_modules/mysql2/lib/connection.js:89:29)
    at Socket.emit (events.js:198:13)
    at Socket.EventEmitter.emit (domain.js:448:20)
    at addChunk (_stream_readable.js:288:12)
    at readableAddChunk (_stream_readable.js:269:11)
    at Socket.Readable.push (_stream_readable.js:224:10)
    at TCP.onStreamRead [as onread] (internal/stream_base_commons.js:94:17)
  code: 'ER_PARSE_ERROR',
  errno: 1064,
  sqlState: '42000'
}

I tried wrapping the database name in backticks which seemed to work (eg. it created the table in the website-dev database), but the middleware I created (from here) only returned failures (eg. the 429 error) and did not insert anything into the database.

Hi @animir Congratulations for your library! Very complete!

I was using Express Rate Limit as the rate limiter for my Express API. However, I have recently changed my app to use Nodejs' Cluster module, so I had to look for another library that supported cluster features. And I found Rate Limiter Flexible.

However I don't know how to implement the same functionality I had: some endpoints had a different limitation configuration, but limitation/blocking was global. For example: /login has a limit of 10 requests per minute, and /users/:userId has a limit of 1000 requests per 5 minutes. If a user consumed the 10 requests in /login, he could not request /user/:userId because he had already reached a 429 error status from another endpoint (/login).

It was a simple middleware like:

// Router middleware
router.post('/login', RateLimiter.limiter(10, 1 * 60), myController) // 10 req in 1 min
router.get('/users/:userId', RateLimiter.limiter(1000, 5 * 60), myController) // 1000 req in 5 min

// Rate limiter
import rateLimit from 'express-rate-limit'
export function limiter (requests, intervalSeconds) {
  return rateLimit({
    windowMs: intervalSeconds || config.defaultIntervalSeconds,
    max: requests || config.defaultMaxRequests,
    onLimitReached, // Log the error
    keyGenerator, // Generate a key from the IP
    skip: () => !config.isEnabled
  })
}

However, I don't know how to implement it with Rate Limiter Flexible, as if I create two instances (one for each endpoint), if user consumes all points in one endpoint, he can still consume points of the second endpoint:

export function limiter (requests, intervalSeconds) {
  return function (req, res, next) {
    // Skip rate-limiter if not enabled
    if (config.isEnabled !== true) return next()

    const allowedRequests = requests || config.maxRequests
    const duration = intervalSeconds || config.intervalSeconds

    rateLimiter = new RateLimiterCluster({
      keyPrefix: 'rate-limiter',
      points: allowedRequests,
      duration,
      timeoutMs: 3000
    })

    return rateLimiter.consume(keyGenerator(req))
      .then(()=> {
        return next()
      })
      .catch(()=> {
        return res.status(429).json({})
      })
  }
}

Is there a way to achieve the same functionality in Rate Limiter Flexible? Or do you think of a way to handle this with this library?

Thank you so much.

All test files from tests directory should be checked by eslint as well as package code

Remove deprecated:

1. Remove isWhite and isBlack getters/setters and options support from RLWrapperBlackAndWhite. isWhiteListed and isBlackListed should be used instead.
2. Remove IRateLimiterResOptions interface from lib/index.d.ts. IRateLimiterRes should be used.

Hi, I realised that negative values are allowed for points and duration when you initialise a RateLimiter, should this return an error instead as it does not make sense to have negative values for points and duration.

I'm running a Cluster/Worker configuration and I do internal api calls to localhost. Having configured the rate limiter as a express middleware, I get these internal api calls limited too:

const rateLimiterMiddleware = (req, res, next) => {
                rateLimiter.consume(req.connection.remoteAddress)
                    .then(() => {
                        next();
                    })
                    .catch(_ => {
                        var errorMessage = APIHelper.createErrorMessage(429, '', '', 'Too Many Requests');
                        res.status(429).send(errorMessage);
                    });
            };
            self.app.use(rateLimiterMiddleware);

It would be possibile to filter out localhost / 127.0.0.1 IP address so that the middleware would skip these internal api calls?

Would be great to have an option where we can pass a list of key exceptions (array of strings).
It's useful when you want to not track points for epecific keys (IP Whitelist).

In the "Login endpoint protection" example in the wiki there's a bug awaiting for the consume promises. It should be await Promise.all(promises) and not await promises

CHANGE:

      try {
        const promises = [limiterSlowBruteByIP.consume(ipAddr)];
        if (user.exists) {
          // Count failed attempts by Username + IP only for registered users
          promises.push(limiterConsecutiveFailsByUsernameAndIP.consume(usernameIPkey));
        }

        await promises;

        res.status(400).end('email or password is wrong');
      } catch (rlRejected) {

TO:

      try {
        const promises = [limiterSlowBruteByIP.consume(ipAddr)];
        if (user.exists) {
          // Count failed attempts by Username + IP only for registered users
          promises.push(limiterConsecutiveFailsByUsernameAndIP.consume(usernameIPkey));
        }

        await Promise.all(promises);

        res.status(400).end('email or password is wrong');
      } catch (rlRejected) {
```

Question

• Why the redis client should be configured as enableOfflineQueue: false? When I tried without this option, rate-limit does work well.

Hi there. First, thank you for the excellent library!

I'm having an issue when attemping to implement the RateLimiterCluster with PM2 in cluster mode.

I followed the example you wrote here:
https://github.com/animir/node-rate-limiter-flexible/wiki/PM2-cluster

However your example doesn't include a 'storeClient' prop passed to the RateLimiterCluster constructor (even though the TS definitions have IRateLimiterStoreOptions as the options interface accepted by RateLimiterCluster). So I add the storeClient prop anyway, which points to my redisClient (node-redis), and fire everything up.

It seems as if my redis store isn't being touched at all, even though the rate limiting is working. This suggests to me that even though I specified my redisClient as the storeClient, RateLimiterCluster is actually operating in-memory.

Can you tell me how to hook RateLimiterCluster to my redis store? Or perhaps it actually should be in-memory only? And if that's the case, can you change the interface required by the RateLimiterCluster constructor to exclude the storeClient prop?

Thanks very much!

Not sure if due to recent changes in ioredis, but RateLimiterRedis is not working with ioredis 4.x.
The issue is how iosredis result format is handled in RateLimiterRedis.js

  _get(rlKey) {
    return new Promise((resolve, reject) => {
      this.client.multi()
        .get(rlKey)
        .pttl(rlKey)
        .exec((err, res) => {
          if (err) {
            reject(err);
          } else {
            const [points] = res;
            if (points === null) {
              res = null;
            } else {
              res.unshift('GET');
            }
            resolve(res);
          }
        });
    });
  }

A typical res value returned by ioredis would look like that: [ [ null, '5' ], [ null, 275680 ] ]
Thus in the code above, points will always be null.
In addition, the res.unshift('GET') is also incorrect, since the code in the _getRateLimiterRes method is expecting the first parameter to be an array in order to get recognize as an ioredis result format:

 _getRateLimiterRes(rlKey, changedPoints, result) {
    let [resSet, consumed, resTtlMs] = result;
    // Support ioredis results format
    if (Array.isArray(resSet)) {
      [, resSet] = resSet;
      [, consumed] = consumed;
      [, resTtlMs] = resTtlMs;
    }
...

Fix is easy, but I am not sure how to PR without breaking non-ioredis redis clients.
In the meantime I fixed my code using this wrapping class:

class RateLimiterIoRedis extends RateLimiterRedis {
  async _get(rlKey) {
    const res = await this.client
      .multi()
      .get(rlKey)
      .pttl(rlKey)
      .exec();

    if (res[0][1] === null) {
      return null;
    }

    return [[null, 'GET'], ...res];
  }
}

const rateLimiter = new RateLimiterIoRedis();