Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
mongo-throttle
Advanced tools
Basic IP rate-limiting middleware for Express stored in mongoDB. Use to throttle or limit incoming request rate.
Basic IP rate-limiting middleware for Express stored in MongoDB. Use to throttle or limit incoming request rate.
Let MongoDB do the heavy lifting and synchronization of throttling/rate-limiting requestors. This Express middleware registers and maintains a rate limit for each requesting IP address. It uses MongoDB's built-in expiration index to automatically sweep out expired Throttle
records.
This rate-limiting implementation will scale across multiple servers with the same implementation.
var throttler = require('mongo-throttle');
// In Express-style app:
app.use(throttle());
// Optionally only rate-limit requests that begin with /api/
app.use('/api/', throttle());
// Optionally configure limits:
app.use(throttle({ rateLimit: { ttl: 600, max: 5 } }));
// Optionally configure a custom limit handler:
app.use(throttle(function(req, res, hits, remaining) {
var until = new Date((new Date()).getTime() + remaining);
res.statusCode = 420;
res.send('You shall not pass ' + hits + ' until ' + until + '!');
}));
# Header fields set:
X-Rate-Limit-Limit # Maximum requests within TTL
X-Rate-Limit-Remaining # Requests remaining for IP
X-Rate-Limit-Reset # msec until limit reset for IP
// Configuration options/defaults:
{
"rateLimit": {
"ttl": 600 // TTL window for each IP limit
"max": 600 // Max hits for IP within window
},
"response": {
"code": 429, // Response code when limit is reached
"message": "Rate Limit reached. Please wait and try again."
},
"mongoose":{
"uri": false // Optional Mongo URI connection string
},
"useCustomHeader": "x-custom-header" // Count hits by the distinct values found in this header, instead of by IP
}
// When using a custom limit handler:
/**
* Custom Limit-reached handler
*
* @param {object} req Express request
* @param {object} res Express response
* @param {number} hits Total hits for this IP within TTL
* @param {number} remaining msec reminaing before this IP resets TTL window
*/
function custom_limit(req, res, hits, remaining) {
// handler response here
}
// Upon registration, this middleware will create
// a Mongoose model collection with schema:
Throttle = {
createdAt: Date,
ip: String,
hits: Number
}
npm install mongo-throttle [--save]
Mongo has a useful feature called a TTL index.
TTL collections make it possible to store data in MongoDB and have the mongod automatically remove data after a specified number of seconds or at a specific clock time.
You can tell Mongo to remove data for you! We will use this to remove expired request counts from our rate-limiting check. There are a couple important things to note about this feature:
expireAfterSeconds
, is in seconds. Unlike most other timestamps in your JavaScript code, don't divide this by 1000.MIT
FAQs
Basic IP rate-limiting middleware for Express stored in mongoDB. Use to throttle or limit incoming request rate.
The npm package mongo-throttle receives a total of 4 weekly downloads. As such, mongo-throttle popularity was classified as not popular.
We found that mongo-throttle demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.