What is rate-limiter-flexible?
The rate-limiter-flexible npm package is a powerful and flexible rate limiting library for Node.js. It supports various backends like Redis, MongoDB, and in-memory storage, making it suitable for distributed systems. It helps in controlling the rate of requests to APIs, preventing abuse, and ensuring fair usage.
What are rate-limiter-flexible's main functionalities?
Basic Rate Limiting
This feature allows you to set up basic rate limiting using in-memory storage. The example limits a user to 5 requests per second.
const { RateLimiterMemory } = require('rate-limiter-flexible');
const rateLimiter = new RateLimiterMemory({
points: 5, // 5 points
duration: 1, // Per second
});
rateLimiter.consume('user-key')
.then(() => {
// Allowed
})
.catch(() => {
// Blocked
});
Rate Limiting with Redis
This feature demonstrates how to use Redis as a backend for rate limiting. The example limits a user to 10 requests per minute.
const { RateLimiterRedis } = require('rate-limiter-flexible');
const Redis = require('ioredis');
const redisClient = new Redis();
const rateLimiter = new RateLimiterRedis({
storeClient: redisClient,
points: 10, // 10 points
duration: 60, // Per minute
});
rateLimiter.consume('user-key')
.then(() => {
// Allowed
})
.catch(() => {
// Blocked
});
Rate Limiting with MongoDB
This feature shows how to use MongoDB as a backend for rate limiting. The example limits a user to 5 requests per minute.
const { RateLimiterMongo } = require('rate-limiter-flexible');
const mongoose = require('mongoose');
mongoose.connect('mongodb://localhost:27017/rate-limiter', { useNewUrlParser: true, useUnifiedTopology: true });
const rateLimiter = new RateLimiterMongo({
storeClient: mongoose.connection,
points: 5, // 5 points
duration: 60, // Per minute
});
rateLimiter.consume('user-key')
.then(() => {
// Allowed
})
.catch(() => {
// Blocked
});
Rate Limiting with Bursts
This feature allows for burst handling by blocking the user for a specified duration if they exceed the rate limit. The example blocks a user for 10 seconds if they exceed 10 requests per second.
const { RateLimiterMemory } = require('rate-limiter-flexible');
const rateLimiter = new RateLimiterMemory({
points: 10, // 10 points
duration: 1, // Per second
blockDuration: 10, // Block for 10 seconds if consumed more than points
});
rateLimiter.consume('user-key')
.then(() => {
// Allowed
})
.catch(() => {
// Blocked
});
Other packages similar to rate-limiter-flexible
express-rate-limit
express-rate-limit is a basic rate-limiting middleware for Express applications. It is simpler and less flexible compared to rate-limiter-flexible, but it is easier to set up for basic use cases.
rate-limiter
rate-limiter is another rate limiting library for Node.js. It is less feature-rich compared to rate-limiter-flexible and does not support as many backends, but it is straightforward to use for simple rate limiting needs.
bottleneck
bottleneck is a powerful rate limiting and job scheduling library for Node.js. It offers more advanced features like priority queues and job scheduling, making it more suitable for complex use cases compared to rate-limiter-flexible.
node-rate-limiter-flexible
rate-limiter-flexible limits number of actions by key and protects from DDoS and brute force attacks at any scale.
It works with Redis, process Memory, Cluster or PM2, Memcached, MongoDB, MySQL, PostgreSQL and allows to control requests rate in single process or distributed environment.
Fast. Average request takes 0.7ms
in Cluster and 2.5ms
in Distributed application. See benchmarks.
Flexible. Combine limiters, block key for some duration, delay actions, manage failover with insurance options, configure smart key blocking in memory and many others.
Ready for growth. It provides unified API for all limiters. Whenever your application grows, it is ready. Prepare your limiters in minutes.
Friendly. No matter which node package you prefer: redis
or ioredis
, sequelize
or knex
, memcached
, native driver or mongoose
. It works with all of them.
It uses fixed window as it is much faster than rolling window.
See comparative benchmarks with other libraries here
Installation
npm i --save rate-limiter-flexible
yarn add rate-limiter-flexible
Basic Example
const opts = {
points: 6,
duration: 1,
};
const rateLimiter = new RateLimiterMemory(opts);
rateLimiter.consume(remoteAddress, 2)
.then((rateLimiterRes) => {
})
.catch((rateLimiterRes) => {
});
RateLimiterRes object
Both Promise resolve and reject return object of RateLimiterRes
class if there is no any error.
Object attributes:
RateLimiterRes = {
msBeforeNext: 250,
remainingPoints: 0,
consumedPoints: 5,
isFirstInDuration: false,
}
You may want to set next HTTP headers to response:
const headers = {
"Retry-After": rateLimiterRes.msBeforeNext / 1000,
"X-RateLimit-Limit": opts.points,
"X-RateLimit-Remaining": rateLimiterRes.remainingPoints,
"X-RateLimit-Reset": new Date(Date.now() + rateLimiterRes.msBeforeNext)
}
Advantages:
Middlewares and plugins
Some copy/paste examples on Wiki:
Migration from other packages
- express-brute Bonus: race conditions fixed, prod deps removed
- limiter Bonus: multi-server support, respects queue order, native promises
Docs and Examples
Basic Options
-
points
Default: 4
Maximum number of points can be consumed over duration
-
duration
Default: 1
Number of seconds before consumed points are reset
-
storeClient
Required for store limiters
Have to be redis
, ioredis
, memcached
, mongodb
, pg
, mysql2
, mysql
or any other related pool or connection.
Other options on Wiki:
Cut off load picks:
Specific:
API
Read detailed description on Wiki.
Benchmark
Average latency during test pure NodeJS endpoint in cluster of 4 workers with everything set up on one server.
1000 concurrent clients with maximum 2000 requests per sec during 30 seconds.
1. Memory 0.34 ms
2. Cluster 0.69 ms
3. Redis 2.45 ms
4. Memcached 3.89 ms
5. Mongo 4.75 ms
500 concurrent clients with maximum 1000 req per sec during 30 seconds
6. PostgreSQL 7.48 ms (with connection pool max 100)
7. MySQL 14.59 ms (with connection pool 100)
Contribution
Appreciated, feel free!
Make sure you've launched npm run eslint
before creating PR, all errors have to be fixed.
You can try to run npm run eslint-fix
to fix some issues.
Any new limiter with storage have to be extended from RateLimiterStoreAbstract
.
It has to implement at least 4 methods:
_getRateLimiterRes
parses raw data from store to RateLimiterRes
object._upsert
inserts or updates limits data by key and returns raw data._get
returns raw data by key._delete
deletes all key related data and returns true
on deleted, false
if key is not found.
All other methods depends on store. See RateLimiterRedis
or RateLimiterPostgres
for example.