express-rate-limit
Advanced tools
Comparing version 2.1.3 to 2.2.0
@@ -7,9 +7,13 @@ 'use strict'; | ||
options = defaults(options, { | ||
// window, delay, and max apply per-ip unless global is set to true | ||
// window, delay, and max apply per-key unless global is set to true | ||
windowMs: 60 * 1000, // milliseconds - how long to keep records of requests in memory | ||
delayAfter: 1, // how many requests to allow through before starting to delay responses | ||
delayMs: 1000, // milliseconds - base delay applied to the response - multiplied by number of recent hits from user's IP | ||
max: 5, // max number of recent connections during `window` miliseconds before sending a 429 response | ||
delayMs: 1000, // milliseconds - base delay applied to the response - multiplied by number of recent hits for the same key. | ||
max: 5, // max number of recent connections during `window` milliseconds before sending a 429 response | ||
message : 'Too many requests, please try again later.', | ||
statusCode: 429, // 429 status = Too Many Requests (RFC 6585) | ||
// allows to create custom keys (by default user IP is used) | ||
keyGenerator: function (req /*, res*/) { | ||
return req.ip; | ||
}, | ||
handler: function (req, res /*, next*/) { | ||
@@ -38,16 +42,16 @@ res.format({ | ||
function rateLimit(req, res, next) { | ||
var ip = req.ip; | ||
var key = options.keyGenerator(req, res); | ||
if (hits[ip]) { | ||
hits[ip]++; | ||
if (hits[key]) { | ||
hits[key]++; | ||
} else { | ||
hits[ip] = 1; | ||
hits[key] = 1; | ||
} | ||
if (options.max && hits[ip] > options.max) { | ||
if (options.max && hits[key] > options.max) { | ||
return options.handler(req,res, next); | ||
} | ||
if (options.delayAfter && options.delayMs && hits[ip] > options.delayAfter) { | ||
var delay = (hits[ip] - options.delayAfter) * options.delayMs; | ||
if (options.delayAfter && options.delayMs && hits[key] > options.delayAfter) { | ||
var delay = (hits[key] - options.delayAfter) * options.delayMs; | ||
setTimeout(next, delay); | ||
@@ -67,8 +71,9 @@ } else { | ||
// export an API to allow hits from one or all IPs to be reset | ||
function resetIp(ip) { | ||
delete hits[ip]; | ||
function resetKey(key) { | ||
delete hits[key]; | ||
} | ||
rateLimit.resetIp = resetIp; | ||
rateLimit.resetKey = resetKey; | ||
// Backward compatibility function | ||
rateLimit.resetIp = resetKey; | ||
@@ -75,0 +80,0 @@ return rateLimit; |
{ | ||
"name": "express-rate-limit", | ||
"version": "2.1.3", | ||
"description": "Basic rate-limiting middleware for Express. Use to limit access to public endpoints such as account creation and password reset.", | ||
"version": "2.2.0", | ||
"description": "Basic IP rate-limiting middleware for Express. Use to limit repeated requests to public APIs and/or endpoints such as password reset.", | ||
"homepage": "https://github.com/nfriedly/express-rate-limit", | ||
@@ -39,3 +39,3 @@ "author": { | ||
"express": "^4.13.3", | ||
"grunt": "^0.4.5", | ||
"grunt": "^1.0.1", | ||
"grunt-cli": "^1.0.0", | ||
@@ -45,3 +45,3 @@ "grunt-contrib-jshint": "^1.0.0", | ||
"grunt-contrib-watch": "^1.0.0", | ||
"grunt-mocha-cli": "^2.0.0", | ||
"grunt-mocha-cli": "^2.1.0", | ||
"jshint-stylish": "^2.1.0", | ||
@@ -48,0 +48,0 @@ "load-grunt-tasks": "^3.4.0", |
@@ -8,6 +8,6 @@ # Express Rate Limit | ||
Basic rate-limiting middleware for Express. Use to limit repeated requests to public endpoints such as account creation and password reset. | ||
Basic rate-limiting middleware for Express. Use to limit repeated requests to public APIs and/or endpoints such as password reset. | ||
Note: this module does not share state with other processes/servers. | ||
If you need a more robust solution, I recommend checking out [strict-rate-limiter](https://www.npmjs.com/package/strict-rate-limiter) or [express-brute](https://www.npmjs.com/package/express-brute), both are excelent pieces of software. | ||
If you need a more robust solution, I recommend checking out [strict-rate-limiter](https://www.npmjs.com/package/strict-rate-limiter) or [express-brute](https://www.npmjs.com/package/express-brute), both are excellent pieces of software. | ||
@@ -92,2 +92,8 @@ | ||
* **statusCode**: HTTP status code returned when `max` is exceeded. Defaults to `429`. | ||
* **keyGenerator**: Function used to generate keys. By default user IP address (req.ip) is used. Defaults: | ||
```js | ||
function (req /*, res*/) { | ||
return req.ip; | ||
} | ||
``` | ||
* **handler**: The function to execute once the max limit is exceeded. It receives the request and the response objects. The "next" param is available if you need to pass to the next middleware. Defaults: | ||
@@ -113,7 +119,7 @@ ```js | ||
* **resetIp(ip)**: Resets the rate limiting for a given IP. (Allow users to complete a captcha or whatever to reset their rate limit, then call this method with their IP.) | ||
* **resetKey(key)**: Resets the rate limiting for a given key. (Allow users to complete a captcha or whatever to reset their rate limit, then call this method.) | ||
## v2 changes | ||
v2 uses a less precise but less resource intensive method of tracking hits from a given IP. v2 also adds the `limiter.resetIp()` API and removes the `global: true` option. | ||
v2 uses a less precise but less resource intensive method of tracking hits from a given IP. v2 also adds the `limiter.resetKey()` API and removes the `global: true` option. | ||
@@ -120,0 +126,0 @@ ## License |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
8866
63
126