Security News
Fluent Assertions Faces Backlash After Abandoning Open Source Licensing
Fluent Assertions is facing backlash after dropping the Apache license for a commercial model, leaving users blindsided and questioning contributor rights.
rolling-rate-limiter
Advanced tools
Rate limiter that supports a rolling window, either in-memory or backed by redis
This is an implementation of a rate limiter in node.js that allows for rate limiting with a rolling window.
This means that if a user is allowed 5 actions per 60 seconds, any action will be blocked if 5 actions have already occured in the preceeding 60 seconds, without any set points at which this interval resets. This contrasts with many existing implementations, in which a user could make 5 requests at 0:59 and another 5 requests at 1:01.
It can use either in-memory storage or Redis as a backend. If Redis is used, multiple rate limiters can share one instance with different namespaces, and multiple processes can share rate limiter state safely without race conditions. The implementation uses what I believe to be a novel algorithm, with sorted sets.
/*
Setup:
*/
var RateLimiter = require("rolling-rate-limiter");
var limiter = RateLimiter({
interval: 1000 // in miliseconds
maxInInterval: 10,
minDifference: 100 // optional: the minimum time (in miliseconds) between any two actions
});
/*
Action:
*/
function attemptAction(userId) {
// Argument should be a unique identifier for a user if one exists.
// If none is provided, the limiter will not differentiate between users.
var timeLeft = limiter(userId)
if (timeLeft > 0) {
// limit was exceeded, action should not be allowed
// timeLeft is the number of ms until the next action will be allowed
// note that this can be treated as a boolean, since 0 is falsy
} else {
// limit was not exceeded, action should be allowed
}
}
/*
Note that the in-memory version can also operate asynchronously.
The syntax is identical to the redis implementation below.
*/
This allows multiple processes (e.g. multiple instances of a server application) to use a single redis to share rate limiter state. Make sure that the limiters have identical configurations in each instance.
/*
Setup:
*/
var RateLimiter = require("rolling-rate-limiter");
var Redis = require("redis");
var client = Redis.createClient(config);
var limiter = RateLimiter({
redis: client,
namespace: "UserLoginLimiter", // optional: allows one redis instance to handle multiple types of rate limiters. defaults to "rate-limiter-{string of 8 random characters}"
interval: 1000,
maxInInterval: 10,
minDifference: 100
});
/*
Action:
*/
function attemptAction(userId, cb) {
limiter(userId, function(err, timeLeft, actionsLeft) {
if (err) {
// redis failed or similar.
} else if (timeLeft) {
// limit was exceeded, action should not be allowed
} else {
// limit was not exceeded, action should be allowed
}
});
}
You can easily use this module to set up a request rate limiter middleware in Express.
var limiter = RateLimiter({
redis: redisClient,
namespace: "requestRateLimiter",
interval: 60000,
maxInInterval: 100,
minDifference: 100
});
app.use(function(req, res, next) {
// "req.ipAddress" could be replaced with any unique user identifier
// Note that the limiter returns the number of miliseconds until an action
// will be allowed. Since 0 is falsey, this can be treated as a boolean.
limiter(req.ipAddress, function(err, timeLeft) {
if (err) {
return res.status(500).send();
} else if (timeLeft) {
return res.status(429).send("You must wait " + timeLeft + " ms before you can make requests.");
} else {
return next();
}
});
});
FAQs
Rate limiter that supports a rolling window, either in-memory or backed by Redis
The npm package rolling-rate-limiter receives a total of 40,946 weekly downloads. As such, rolling-rate-limiter popularity was classified as popular.
We found that rolling-rate-limiter demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Fluent Assertions is facing backlash after dropping the Apache license for a commercial model, leaving users blindsided and questioning contributor rights.
Research
Security News
Socket researchers uncover the risks of a malicious Python package targeting Discord developers.
Security News
The UK is proposing a bold ban on ransomware payments by public entities to disrupt cybercrime, protect critical services, and lead global cybersecurity efforts.