adonis-rate-limiter
Rate limiter for AdonisJs framework using Redis.
Installation
npm install adonis-rate-limiter --save
After installation, you need to register the provider and an optional alias inside bootstrap/app.js
file.
// bootstrap/app.js const providers = ... 'adonis-rate-limiter/providers/RateLimiterProvider' const aliases = ... RateLimiter: 'Adonis/Addons/RateLimiter'
Usage
Rate limit a specific action
Use the RateLimiter
provider to limit an action for a given subject (eg. IP address, user id) and period.
The following example mitigates brute force attacks by limiting the number of login attempts for an IP address to 6 attempts per minute and 30 attempts per hour.
// app/Http/Controllers/AuthController.js const RateLimiter = * { const ipAddress = requestrequestsocketremoteAddress RateLimiter RateLimiter ... }
If the subject exceeds the maximum number a RateLimitExceededException
is thrown. The exception contains these properties:
message
: The action key in the format{key}-rate-limit-exceeded
, eg.login-min-rate-limit-exceeded
secondsToWait
: The number of seconds the subject has to wait until it can perform the action againstatus
: 429 (HTTP status code for too many requests)
You can conveniently handle this exception in your HTTP exception handler like this:
{ const status = errorstatus || 429 const message = errormessage || 'Rate limit exceeded' return status message }
Have a look at app/Services/ExceptionParser.js of the Adonis Rally project.
Auto IP ban
The following middleware automatically blocks an IP address after a number of requests that resulted in a response status code equal to or above 400.
// app/Http/Middleware/AutoIpBan.js const RateLimiter = * { const ipAddress = requestrequestsocketremoteAddress const minuteLimiter = RateLimiter const hourLimiter = RateLimiter if minuteLimiter && hourLimiter next else response return if responseresponsestatusCode >= 400 minuteLimiter hourLimiter } moduleexports = AutoIpBan
You might want to add this middleware to your list of the global middlware just before Cors
:
// app/Http/kernel.js const globalMiddleware = 'App/Http/Middleware/AutoIpBan' 'Adonis/Middleware/Cors' ...
Copyright and License
Copyright (c) 2016 Reto Inderbitzin, MIT License