express-rate-limit
Advanced tools
Comparing version 1.0.3 to 1.1.0
@@ -12,3 +12,4 @@ 'use strict'; | ||
// window, delay, and max apply per-ip unless global is set to true | ||
windowMs: 60 * 1000, // miliseconds - how long to keep records of requests in memory | ||
windowMs: 60 * 1000, // milliseconds - how long to keep records of requests in memory | ||
delayAfter: 1, // how many requests to allow through before starting to delay responses | ||
delayMs: 1000, // milliseconds - base delay applied to the response - multiplied by number of recent hits from user's IP | ||
@@ -38,3 +39,3 @@ max: 5, // max number of recent connections during `window` miliseconds before sending a 400 response | ||
if (hits[ip] > options.max) { | ||
if (options.max && hits[ip] > options.max) { | ||
// 429 status = Too Many Requests (RFC 6585) | ||
@@ -44,5 +45,8 @@ return res.status(429).end(options.message); | ||
// first hit shouldn't be delayed, so subtract 1 | ||
var delay = (hits[ip]-1) * options.delayMs; | ||
setTimeout(next, delay); | ||
if (options.delayAfter && options.delayMs && hits[ip] > options.delayAfter) { | ||
var delay = (hits[ip] - options.delayAfter) * options.delayMs; | ||
setTimeout(next, delay); | ||
} else { | ||
next(); | ||
} | ||
}; | ||
@@ -49,0 +53,0 @@ } |
{ | ||
"name": "express-rate-limit", | ||
"version": "1.0.3", | ||
"version": "1.1.0", | ||
"description": "Basic rate-limiting middleware for Express. Use to limit access to public endpoints such as account creation and password reset.", | ||
@@ -28,15 +28,16 @@ "homepage": "https://github.com/nfriedly/express-rate-limit", | ||
"dependencies": { | ||
"defaults": "^1.0.0" | ||
"defaults": "^1.0.2" | ||
}, | ||
"devDependencies": { | ||
"express": "^4.10.4", | ||
"express": "^4.13.1", | ||
"grunt-cli": "^0.1.13", | ||
"grunt-contrib-jshint": "^0.10.0", | ||
"grunt-contrib-jshint": "^0.11.2", | ||
"grunt-contrib-nodeunit": "^0.4.1", | ||
"grunt-contrib-watch": "^0.6.1", | ||
"grunt-mocha-cli": "^1.11.0", | ||
"jshint-stylish": "^1.0.0", | ||
"load-grunt-tasks": "^1.0.0", | ||
"supertest": "^0.15.0", | ||
"time-grunt": "^1.0.0" | ||
"grunt-mocha-cli": "^1.14.0", | ||
"jshint-stylish": "^2.0.1", | ||
"load-grunt-tasks": "^3.2.0", | ||
"sinon": "^1.16.1", | ||
"supertest": "^1.0.1", | ||
"time-grunt": "^1.2.1" | ||
}, | ||
@@ -43,0 +44,0 @@ "scripts": { |
@@ -8,5 +8,6 @@ # Express Rate Limit | ||
Basic rate-limiting middleware for Express. Use to limit access to public endpoints such as account creation and password reset. | ||
Basic rate-limiting middleware for Express. Use to limit repeated requests to public endpoints such as account creation and password reset. | ||
Note: this module does not share state with other processes/servers, so if you need a more robust solution, I recommend checking out the excellent [strict-rate-limiter](https://www.npmjs.com/package/strict-rate-limiter) | ||
Note: this module does not share state with other processes/servers. | ||
If you need a more robust solution, I recommend checking out the excellent [strict-rate-limiter](https://www.npmjs.com/package/strict-rate-limiter) | ||
@@ -20,3 +21,15 @@ | ||
## Configuration | ||
* **windowMs**: milliseconds - how long to keep records of requests in memory. Defaults to 60,000 (1 minute). | ||
* **delayAfter**: max number of connections during `windowMs` before starting to delay responses. Defaults to 1. Set to 0 to disable entirely. | ||
* **delayMs**: milliseconds - how long to delay the response; is multiplied by number of recent hits - `delayAfter`. Defaults to 1,000 (1 second). Set to 0 to disable entirely. | ||
* **max**: max number of recent connections during `windowMs` milliseconds before sending a 400 response. Defaults to 5. Set to 0 to disable entirely. | ||
* **global**: If true, IP address is ignored and a single global hit counter is used. Defaults to false. | ||
* **message**: Error message returned when `max` is exceeded. Defaults to 'Too many requests, please try again later.' | ||
The `delayAfter` and `delayMs` options were written for human-facing pages such as login and password reset forms. | ||
For public APIs, setting these to `0` (disabled) and relying on only `windowMs` and `max` for rate-limiting usually makes the most sense. | ||
## Usage | ||
@@ -31,8 +44,8 @@ | ||
var limiter = RateLimit({ | ||
// window, delay, and max apply per-ip unless global is set to true | ||
windowMs: 60 * 1000, // miliseconds - how long to keep records of requests in memory | ||
delayMs: 1000, // milliseconds - base delay applied to the response - multiplied by number of recent hits from user's IP | ||
max: 5, // max number of recent connections during `window` miliseconds before (temporarily) bocking the user. | ||
global: false, // if true, IP address is ignored and setting is applied equally to all requests | ||
message: 'You have been very naughty.. No API response for you!!' // if message is set, the provide message will be shown instead of `Too many requests, please try again later.` | ||
windowMs: 60 * 1000, | ||
delayAfter: 1, | ||
delayMs: 1000, | ||
max: 5, | ||
global: false, | ||
message: 'Too many requests, please try again later.' | ||
}); | ||
@@ -44,2 +57,3 @@ | ||
// for a "regular" website, apply this only to specific endpoints | ||
// (this includes Single Page Apps if you serve the assets with express.static()) | ||
app.post('/create-account', limiter, function(req, res) { | ||
@@ -50,6 +64,7 @@ // ... | ||
You **could** apply this globally on a regular website, but be aware that it would then trigger on images, css, etc. So I wouldn't recommend it. | ||
You **could** apply this globally (`app.use(limiter);`) on a regular website, but be aware that it would then trigger on images, css, etc. So I wouldn't recommend it. | ||
## License | ||
MIT © [Nathan Friedly](http://nfriedly.com/) |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
5978
42
66
11
Updateddefaults@^1.0.2