express-rate-limit - npm Package Compare versions

Comparing version 2.1.3 to 2.2.0

lib/express-rate-limit.js

		@@ -7,9 +7,13 @@ 'use strict';
		options = defaults(options, {
		// window, delay, and max apply per-ip unless global is set to true
		// window, delay, and max apply per-key unless global is set to true
		windowMs: 60 * 1000, // milliseconds - how long to keep records of requests in memory
		delayAfter: 1, // how many requests to allow through before starting to delay responses
		delayMs: 1000, // milliseconds - base delay applied to the response - multiplied by number of recent hits from user's IP
		max: 5, // max number of recent connections during `window` miliseconds before sending a 429 response
		delayMs: 1000, // milliseconds - base delay applied to the response - multiplied by number of recent hits for the same key.
		max: 5, // max number of recent connections during `window` milliseconds before sending a 429 response
		message : 'Too many requests, please try again later.',
		statusCode: 429, // 429 status = Too Many Requests (RFC 6585)
		// allows to create custom keys (by default user IP is used)
		keyGenerator: function (req /, res/) {
		return req.ip;
		},
		handler: function (req, res /, next/) {
		@@ -38,16 +42,16 @@ res.format({
		function rateLimit(req, res, next) {
		var ip = req.ip;
		var key = options.keyGenerator(req, res);

		if (hits[ip]) {
		hits[ip]++;
		if (hits[key]) {
		hits[key]++;
		} else {
		hits[ip] = 1;
		hits[key] = 1;
		}

		if (options.max && hits[ip] > options.max) {
		if (options.max && hits[key] > options.max) {
		return options.handler(req,res, next);
		}

		if (options.delayAfter && options.delayMs && hits[ip] > options.delayAfter) {
		var delay = (hits[ip] - options.delayAfter) * options.delayMs;
		if (options.delayAfter && options.delayMs && hits[key] > options.delayAfter) {
		var delay = (hits[key] - options.delayAfter) * options.delayMs;
		setTimeout(next, delay);
		@@ -67,8 +71,9 @@ } else {
		// export an API to allow hits from one or all IPs to be reset

		function resetIp(ip) {
		delete hits[ip];
		function resetKey(key) {
		delete hits[key];
		}

		rateLimit.resetIp = resetIp;
		rateLimit.resetKey = resetKey;
		// Backward compatibility function
		rateLimit.resetIp = resetKey;

		@@ -75,0 +80,0 @@ return rateLimit;

package.json

		{
		"name": "express-rate-limit",
		"version": "2.1.3",
		"description": "Basic rate-limiting middleware for Express. Use to limit access to public endpoints such as account creation and password reset.",
		"version": "2.2.0",
		"description": "Basic IP rate-limiting middleware for Express. Use to limit repeated requests to public APIs and/or endpoints such as password reset.",
		"homepage": "https://github.com/nfriedly/express-rate-limit",
		@@ -39,3 +39,3 @@ "author": {
		"express": "^4.13.3",
		"grunt": "^0.4.5",
		"grunt": "^1.0.1",
		"grunt-cli": "^1.0.0",
		@@ -45,3 +45,3 @@ "grunt-contrib-jshint": "^1.0.0",
		"grunt-contrib-watch": "^1.0.0",
		"grunt-mocha-cli": "^2.0.0",
		"grunt-mocha-cli": "^2.1.0",
		"jshint-stylish": "^2.1.0",
		@@ -48,0 +48,0 @@ "load-grunt-tasks": "^3.4.0",

README.md

		@@ -8,6 +8,6 @@ # Express Rate Limit

		Basic rate-limiting middleware for Express. Use to limit repeated requests to public endpoints such as account creation and password reset.
		Basic rate-limiting middleware for Express. Use to limit repeated requests to public APIs and/or endpoints such as password reset.

		Note: this module does not share state with other processes/servers.
		If you need a more robust solution, I recommend checking out [strict-rate-limiter](https://www.npmjs.com/package/strict-rate-limiter) or [express-brute](https://www.npmjs.com/package/express-brute), both are excelent pieces of software.
		If you need a more robust solution, I recommend checking out [strict-rate-limiter](https://www.npmjs.com/package/strict-rate-limiter) or [express-brute](https://www.npmjs.com/package/express-brute), both are excellent pieces of software.

		@@ -92,2 +92,8 @@
		* statusCode: HTTP status code returned when `max` is exceeded. Defaults to `429`.
		* keyGenerator: Function used to generate keys. By default user IP address (req.ip) is used. Defaults:
		```js
		function (req /, res/) {
		return req.ip;
		}
		```
		* handler: The function to execute once the max limit is exceeded. It receives the request and the response objects. The "next" param is available if you need to pass to the next middleware. Defaults:
		@@ -113,7 +119,7 @@ ```js

		* resetIp(ip): Resets the rate limiting for a given IP. (Allow users to complete a captcha or whatever to reset their rate limit, then call this method with their IP.)
		* resetKey(key): Resets the rate limiting for a given key. (Allow users to complete a captcha or whatever to reset their rate limit, then call this method.)

		## v2 changes

		v2 uses a less precise but less resource intensive method of tracking hits from a given IP. v2 also adds the `limiter.resetIp()` API and removes the `global: true` option.
		v2 uses a less precise but less resource intensive method of tracking hits from a given IP. v2 also adds the `limiter.resetKey()` API and removes the `global: true` option.

		@@ -120,0 +126,0 @@ ## License

express-rate-limit - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics