fastify / fastify-rate-limit Goto Github PK

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

Does Redis store use atomic increments, I mean that is all operations in memory, or distributed environment use atomic increments against race conditions?

💥 Regression Report

Since PR #123 it is not possible to register two rate limiter like for a use case where a global rate limiter should be applied and a second, stricter limiter to only some specific routes like this (nestjs registration of the rate limiter):

    // rate limiter for every route except /auth/password
    await app.register(fastifyRateLimit, {
      max: 150,
      timeWindow: 1000 * 60 * 5, // 150 req/5min
      redis: new Redis({ ...configService.redisConnectionData, keyPrefix: 'ratelimit:' }),
      whitelist: (req) => {
        return req.url === '/auth/password';
      },
      errorResponseBuilder: rateLimitErrorResponse,
    });

    // rate limiter for /auth/password route only
    await app.register(fastifyRateLimit, {
      max: 15,
      timeWindow: 1000 * 60 * 5, // 15 req/5min
      redis: new Redis({ ...configService.redisConnectionData, keyPrefix: 'ratelimit:auth:' }),
      whitelist: (req) => {
        return req.url !== '/auth/password';
      },
      errorResponseBuilder: rateLimitErrorResponse,
    });

Last working version

Worked up to version: 5.0.0

Stopped working in version: 5.0.1

To Reproduce

Steps to reproduce the behavior:

Use two rate limiters, the second one registered does not work.

Expected behavior

Multiple rate limiter should be usable for a use case where a stricter rate limiting is needed for some routes.

Your Environment

• node version: 14
• fastify version: >3.0.0
• os: WSL2

Hi everybody,

just wanted to know how/what the skipOnError flag is working. I expected that if redis connection is lost I can skip the rate limit with this flag. Is this wrong? But the behaviour is that my endpoint needs a lot of time to answer, when connection is lost to redis.

Thanks in advance.
Markus

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

The package contains unnecessary files. I recommend to create a .npmignore with following content:

.github
example
test
.gitattributes
.taprc
README.md

Thus making the final package to be around 15 kb instead of 115 kb.

Hi, i just updated to 2.1.1 and got this error during TS compilation.
It happens because ioredis is in devDependencies and you are using it in index.d.ts, that is just a typings file.
Let me know if you need help.

The devDependency knex was updated from 0.20.4 to 0.20.6.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

knex is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

What about adding an array with ips that are whiteslisted? I'm thinking about scenarios where there are some server to server calls that are under control of the deployer.

🐛 Bug Report

Even if the clients (based on their ip) has done too many request in the given timeWindow, the server does not respond with 429. This makes the application still vulnerable to attacks

To Reproduce

Steps to reproduce the behavior:

1. JS

const fastify = require('fastify')()

fastify.register(require('fastify-rate-limit'), {
  max: 2,
  timeWindow: '1 minute'
})

fastify.get('/', (req, reply) => {
  reply.send({ hello: 'world' })
})

fastify.listen(3000, err => {
  if (err) throw err
  console.log('Server listening at http://localhost:3000')
})

2. Curl

 curl 'http://localhost:8080/foo'

Expected behavior

It should give 429, "Too Many Requests", response, but giving this:

{ 
    "statusCode":404,
    "error":"Not Found",
    "message":"Not Found"
}

🚀 Feature Proposal

Add an abuse status that will reply 403 Fobidden when the 429 response has been used to much.

Motivation

This will let you ban users that are calling the API without managing the 429 response.

Example

const banList = []
app.register(fastifyRateLimit, {
  abuse: 10, // how many 429 request the plugin can send. It is reset when the rate limit is resetted
});

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure it has not already been reported

Fastify version

3.19.1

Plugin version

5.5.0

Node.js version

14.15.1

Operating system

Windows

Operating system version (i.e. 20.04, 11.3, 10)

10

Description

Headers like 'x-ratelimit-limit' are always added to the response when the limit has not yet been exceeded, as seen here:

Steps to Reproduce

1. Implement fastify-rate-limit
2. Set low 'max' and high 'timeWindow' values
3. Set specific headers to 'false'
4. Request a route

Expected Behavior

If set to false, those headers should never be added, no matter whether the limit has been exceeded or not. Or there should be an option to enforce this behaviour.

The dependency fastify-plugin was updated from 1.6.0 to 1.6.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

fastify-plugin is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

The dependency tiny-lru was updated from 7.0.1 to 7.0.2.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

tiny-lru is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

🚀 Feature Proposal

Rename the whitelist option to allowedClient
This will be a breaking change.

Motivation

This wording is more inclusive.

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure it has not already been reported

Fastify version

3.14.2

Plugin version

5.6.0

Node.js version

14.16.0

Operating system

macOS

Operating system version (i.e. 20.04, 11.3, 10)

11.4

Description

Redis fastify-rate-limit-* key is deleted automatically after 1 minute even if the timeWindow is set to '5 minutes'. I've tried with different timeWindows, both in string and number notation.
I do not have anywhere a TTL set for the keys in Redis itself, so AFAIK they should be stored until the timeWindow reaches it's limit.
The issue occurs when I'm connected to Redis both on GCP and locally, something seems to be dumping the key generator from keyGenerator, but I really do not have any clue by now what that might be.
Could anyone help me with that?
It seems like a bug, but I am quite new in the field, so it's possible it's a rookie mistake made somewhere.

Steps to Reproduce

A. Register FastifyRateLimit on the global server configuration along with local Redis connection. Set global to false, so you're able to create custom keyGenerator functions for each route:

server.register(FastifyRateLimit, {
    global: false,
    redis: new Redis({ host: '127.0.0.1', port: 6379})
... })

B. Mount rateLimit function on one of your routes (in my case a POST one). Return hardcoded 45 for easier reproduction

• check out if a new key fastify-rate-limit-45 appeared, via: get fastify-rate-limit-45

preHandler: [
        fastify.rateLimit({
          max: 1,
          timeWindow: '5 minutes',
          keyGenerator: function (request) {
            return 45
          }

C. Spin up the local env and hit the endpoint twice to trigger the rate-limit block
D. Wait for 1 minute
E. Hit the same endpoint again

Actual result:
-> The hit is not blocked, although it should since the timeWindow is set to 5 minutes
-> When executing get fastify-rate-limit-45 in telnet you'll get a -1 response - the key has been deleted

Expected Behavior

• the hit is blocked when timeWindow is not over
• key is not dumped after 1 minutes

The dependency tiny-lru was updated from 3.0.5 to 3.0.6.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

tiny-lru is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

I setup redis on rate-limit options, but it does not sets TTL ( expire )

• node version: 16
• fastify version: >=3.0.0
• os: Mac

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the issue has not already been raised

Issue

Hello contributors,
Thank you for your work on this package.

I'm raising this to discuss the current implementation,

Click for dark mode users

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure it has not already been reported

Fastify version

3.19.1

Plugin version

5.5.0

Node.js version

16.6.2

Operating system

macOS

Operating system version (i.e. 20.04, 11.3, 10)

Big Sur 11.4

Description

The docs page states that the max function can be an async function with the signature async (req, key) => {} where req is the Fastify request object and key is the value generated by the keyGenerator. The function must return a number.

However, typescript complains I have the wrong type when I use an async function because Promise is not assignable to number.

Basically, I think the type definition for the max function needs to be changed from:

number | ((req: FastifyRequest, key: string) => number)

to:

number | ((req: FastifyRequest, key: string) => number) | ((req: FastifyRequest, key: string) => Promise<number>)

Steps to Reproduce

// Declare a config object
const config: RateLimitPluginOptions = {
    ban: 10,
    timeWindow: '2 minute',
    store: new Redis(process.env.REDIS_URL, { connectTimeout: 500, maxRetriesPerRequest: 1 }) as any,
    keyGenerator: function (req) {
        return req.headers['authorization'] || req.ip;
    },

    // This is where the error is
    async max(request, key) {
        const apiKeyObject = await ApiKey.findOne({ where: { apiKey: key } });
        if (!apiKeyObject) {
            return 10;
        }

        return apiKeyObject.rateLimit;
    }
};

// Register the plugin
app.register(fastifyRateLimit, config);

The exact error is:

Type '(request: FastifyRequest<RouteGenericInterface, Server, IncomingMessage>, key: string) => Promise<number>' is not assignable to type '(req: FastifyRequest<RouteGenericInterface, Server, IncomingMessage>, key: string) => number'.
    Type 'Promise<number>' is not assignable to type 'number'.

Expected Behavior

No response

The devDependency fastify was updated from 2.11.0 to 2.12.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

fastify is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

Fairly sure that the custom store example in /example/example-knex.js does not work. At a minimum there is a function scope 'this' error, as well as errors in the logic for the inserts and updates. There should also be a read lock on the row before the updates are attempted. The /example-sequelize.js example seems to be okay. The logic is correct, although not sure whether a similar transaction is required.

Below is a working example for Knex.js and MySQL.

I'd be glad to submit a PR for /example/example-knex-mysql.js

'use strict'

// Example of a custom store using Knex.js and MySQL
//
// Note that the rate check should place a read lock on the row.
// For MySQL see:
// https://dev.mysql.com/doc/refman/8.0/en/innodb-locking-reads.html
// https://blog.nodeswat.com/concurrency-mysql-and-node-js-a-journey-of-discovery-31281e53572e
//
// Below is an example table to store rate limits that must be created
// in the database first.
// // Knex migration
// exports.up = async knex => {
//   await knex.schema.createTable('rate_limits', table => {
//     table.string('source').notNullable()
//     table.string('route').notNullable()
//     table.integer('count').unsigned()
//     table.bigInteger ('ttl')
//     table.primary(['route', 'source'])
//   })
// }
//
// exports.down = async knex => {
//   await knex.schema.dropTable('rate_limits')
// }
// // Above migration will create...
// CREATE TABLE `rate_limits` (
//   `source` varchar(255) NOT NULL,
//   `route` varchar(255) NOT NULL,
//   `count` int unsigned DEFAULT NULL,
//   `ttl` int unsigned DEFAULT NULL,
//   PRIMARY KEY (`route`,`source`)
// ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci;

function KnexStore(options) {
  this.options = options
  this.route = ''
}

KnexStore.prototype.routeKey = function (route) {
  if (route) this.route = route
  return route
}

KnexStore.prototype.incr = function (key, cb) {
  const now = (new Date()).getTime()
  const ttl = now + this.options.timeWindow
  const cond = { route: this.route, source: key }
  knex.transaction(function (trx) {
    trx('rate_limits')
      .whereRaw('route = ? AND source = ? FOR UPDATE', [cond.route || '', cond.source]) // Create read lock
      .then(r => {
        const d = r[0]
        if (d && d.ttl > now) {
          trx
            .raw('UPDATE rate_limits SET count = ? WHERE route = ? AND source = ?', [d.count + 1, cond.route, key])
            .then(() => {
              cb(null, { current: d.count + 1, ttl: d.ttl })
            })
            .catch(err => {
              trx.rollback()
              cb(err, {
                current: 0,
              })
            })
        } else {
          trx
            .raw('INSERT INTO rate_limits(route, source, count, ttl) VALUES(?,?,1,?) ON DUPLICATE KEY UPDATE count = 1, ttl = ?', [cond.route, key, (d && d.ttl) || ttl, ttl])
            .then(() => {
              cb(null, {
                current: 1,
                ttl: (d && d.ttl) || ttl,
              })
            })
            .catch(err => {
              trx.rollback()
              cb(err, { current: 0 })
            })
        }
      })
      .then(trx.commit)
      .catch(err => {
        trx.rollback()
        cb(err, { current: 0 })
      })
  })
}

KnexStore.prototype.child = function (routeOptions = {}) {
  const options = { ...this.options, ...routeOptions }
  const store = new KnexStore(options)
  store.routeKey(routeOptions.routeInfo.method + routeOptions.routeInfo.url)
  return store
}

fastify.register(require('../../fastify-rate-limit'),
  {
    global: false,
    max: 10,
    store: KnexStore,
    skipOnError: false,
  }
)

fastify.get('/', {
  config: {
    rateLimit: {
      max: 10,
      timeWindow: '1 minute',
    },
  },
}, (req, reply) => {
  reply.send({ hello: 'from ... root' })
})

fastify.get('/private', {
  config: {
    rateLimit: {
      max: 3,
      timeWindow: '1 minute',
    },
  },
}, (req, reply) => {
  reply.send({ hello: 'from ... private' })
})

fastify.get('/public', (req, reply) => {
  reply.send({ hello: 'from ... public' })
})

fastify.listen(3000, err => {
  if (err) throw err
  console.log('Server listening at http://localhost:3000')
})

Trying to whitelist some keys per route but it does not apply.

To Reproduce

Steps to reproduce the behavior: Add rate limit config to the route and add whitelist param.

server.register(rateLimitPlugin, {
  global : false,
  redis,
  skipOnError: true
});
 server.get('/test', {
    preHandler: authHandler,
    config: {
      rateLimit: {
        max: 3,
        timeWindow: '1 minute',
        whitelist: ['testuser'],
        keyGenerator: function (req: any) {
          return req.params.authedUserId || test;
        },
        onExceeded: function (req: any) {
          console.log('Exceeded')
        },
      }
    }
  }, handler);

Expected behavior

As documentation shows, it should allow to add whitelist list per route not only on global.
I think problem is in preHandler

    // whitelist doesn't apply any rate limit
    if (pluginComponent.whitelist.indexOf(key) > -1) {
      next()
      return
    }

pluginComponent.whitelist is an empty array. Should be params.whitelist in this case.

Your Environment

• node version: 10.16
• fastify version: >=2.5

🚀 Feature Proposal

Being able to use async / await in max in so we can fetch details from our database/cache or similar.

Motivation

I would love to contribute to this, and it's a very easy implementation. I've not tested out the performance that might get lost using async / await here.

Example

For one of my recent projects, different users with different access were able to have different rate limits using async. I think this would be very good to have added to the fastify-rate-limit plugin.

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the feature has not already been requested

🚀 Feature Proposal

Description

I ​think the current rate limiter is missing the point. Rate limiters are made to prevent brute force attacks, right?
The thing is, fastify-rate-limiter only blocks most of brute force requests.
Let me give you an example:
I've reached the limit and now I'm locked for 2 minutes. I'll wait for 1 minute and will send a request to the server again.
It will says that I should wait for 1 more minute.

Nothing wrong right? 🧐

But imagine a script; which will send 15 requests to the server every minute. It will reach the rate limit after 1 minute (lets assume limit is at 15 and lock time is 2m). It will keep sending requests until the rate limit ends. after that it will send another 15 requests to the server. so its sending 15 requests every 3 minute even when rate limiter is on!

Solution

I think the best solution is to renew the lock time on every request when the ip is locked

Motivation

I've discovered Fastify recently, and since then I'm in love with it 😁

I try to use Fastify version of everything when I'm developing using Fastify! Rate limiter is one of those. Maybe the feature that I'm requesting is not useful But I needed it, so I shared my thoughts with you guys.

Example

No response

The dependency fast-json-stringify was updated from 1.15.7 to 1.16.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

fast-json-stringify is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

In my project I tried using the rate-limit, and it worked. Then I tried using the per-route limit, but it didn't work at all. I replicated the example to see if I made any error in my project, but it still didn't work.

Here is the code I used:

const fastify = require('fastify')()

fastify.register(require('fastify-rate-limit'),
  {
    global: false,
    max: 10,
    timeWindow: '1 minute',
    skipOnError: false,
    keyGenerator: function(req) {
        console.log(req.ip);
        return req.ip;
    }
  })

fastify.get('/rate-test', {
  config: {
    rateLimit: {
      max: 3,
      timeWindow: '1 minute'
    }
  }
}, (req, reply) => {
  reply.send({ hello: 'from ... root' })
});

fastify.listen(3000, err => {
    if (err) throw err
    console.log('Server listening at http://localhost:3000')
})

The server returns a 429 status only after 10 continuous requests, but not after 3.

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure it has not already been reported

Fastify version

3.20.2

Plugin version

5.6.1

Node.js version

14.6.0

Operating system

Windows

Operating system version (i.e. 20.04, 11.3, 10)

10 x64

Description

Read the docs and the examples, they're pretty clear IMO. I must be missing something.
I cannot get allowList to work in the config for an endpoint. It does work though when used in the global config.

Steps to Reproduce

This works for allowing 127.0.0.1 - via global config:

fastify.register(fastifyRateLimit,
    {
        global: false,
        max: 3000, // default max rate limit
        allowList: ['127.0.0.1'], // global allowList access ( ACL based on the key from the keyGenerator)
        skipOnError: false, // default false
    });

But, when I'm specifying 127.0.0.1 in the allowList directly for an endpoint, it does not kick in:

fastify.route({
        url: '/activate',
        method: 'POST',
        schema: {},
        handler: (request) => {
            return rt_activate(request);
        },
        config: {
            rateLimit: {
                max: 3,
                timeWindow: '1 minute',
                allowList: ['127.0.0.1'],     // <--------- never kicks in
                errorResponseBuilder: (req: FastifyRequest, context: any) =>
                    ({
                        code: 429, timeWindow: context.after, limit: context.max,
                        message: 'Too many requests sent. Please try again in 1 minute.'
                    }),
                onExceeding: function(req: FastifyRequest){
                    console.log('callback on exceeding ... executed before response to client. req is give as argument')
                },
                onExceeded: function(req: FastifyRequest){
                    console.log('callback on exceeded ... to block ip in security group for example, req is give as argument')
                }
            }
        }
    }
);

What am I doing wrong ?

Expected Behavior

to white list / allow the specified IPs in the endpoint config > allowList array.

Thanks.

I was looking at the code and it seems that the plugin allows for the specified max option to be a function, but when I try to use a function to generate the max value I get an error such as:

unhandled exception TypeError: The header content contains invalid characters
at storeHeader (_http_outgoing.js:436:13)
at ServerResponse._storeHeader (_http_outgoing.js:350:7)
at ServerResponse.writeHead (_http_server.js:257:8)
at onSendEnd (/usr/src/app/node_modules/fastify/lib/reply.js:329:7)
at onSendHook (/usr/src/app/node_modules/fastify/lib/reply.js:282:5)
at _Reply.Reply.send (/usr/src/app/node_modules/fastify/lib/reply.js:139:3)
at onIncr (/usr/src/app/node_modules/fastify-rate-limit/index.js:136:12)
at LocalStore.incr (/usr/src/app/node_modules/fastify-rate-limit/store/LocalStore.js:19:3)
at Object.preHandler (/usr/src/app/node_modules/fastify-rate-limit/index.js:110:27)
at hookIterator (/usr/src/app/node_modules/fastify/lib/hooks.js:124:10)

Is there support for a non-static max requests value and I'm missing something or is this not implemented?

In my use case different clients connecting to the API have different max limits and as such I would like to make the max option depend on a function provided by me that would return a value to be checked against.

Thanks for your time!

🚀 Feature Proposal

Have an option to slow down responses instead of returning 429 errors.

Motivation

By having the option to slow down responses would deter scrapping of data from a server which would put an additional load on the server while still enabling responses for cases where user may not be actually scrapping, but just that there are many machines surfing the webpage under the same IP

Example

express-slow-down

Is it possible to use this rate-limiter per route instead of for every route?

Currently you will always get a JSON in the following schema if you exceed the rate limit:

{
  "error": "Too Many Requests",
  "message": "Rate limit exceeded, retry in 1 minute",
  "statusCode": 429
}

Since I use a different JSON schema in my response, it would be great to have a way of customizing the response. E.g. Having a callback to format/send the response.

🐛 Bug Report

Every request to HEAD or GET route counted as two with activated exposeHeadRoutes for Fastify (x-ratelimit-remaining header gets decreased by -2)
If you are manually installing HEAD route before GET one with/without option then counter works properly.

After minor investigation it looks like function onRequest from plugin gets installed into route 2 times.

  // onRequest function that will be use for current endpoint been processed
  function onRequest (req, res, next) {

To Reproduce

Reproduction steps are pretty simple:

1. Get latest fastify from npm
2. get latest fastify-rate-limit plugin from npm
3. Activate exposeHeadRoutes: true option for fastify server
4. Copypaste my minimal example
5. Do 2 requests with postman or curl to 127.0.0.1:1111/route -> x-ratelimit-remaining header in first response will be 118, 116 - second.

const fastify = require("fastify")({
	onConstructorPoisoning: "remove",
	onProtoPoisoning: "remove",
	ignoreTrailingSlash: true,
	exposeHeadRoutes: true
});

fastify.register(require("fastify-rate-limit"), {
	max: 120,
	timeWindow: "5 minutes",
	addHeaders: {
		"x-ratelimit-reset": false,
		"retry-after": false
	}
});


async function testGetRoute(fastify) {
	fastify.get("/route", async () => {
		throw new Error();
	});
}

fastify.register(testGetRoute);

const start = async () => {
	try {
		await fastify.listen(1111, "127.0.0.1");
	} catch (error) {
		process.exit(1);
	}
};
start();

Expected behavior

After first request with postman/curl to 127.0.0.1:1111/route x-ratelimit-remaining in first response header will be 119, after second - 118

Your Environment

• node version: 14/15
• fastify version: 3.12.0
• os: Windows

🐛 Bug Report

As described in #113, using a per-route ratelimit doesn't work.

To Reproduce

Steps to reproduce the behavior:

1. Create a new fastify instance
2. Register the ratelimit plugin
3. Add a ratelimit on a specific route

import fastify, { FastifyInstance, FastifyRequest } from 'fastify'

import ratelimit from 'fastify-rate-limit'

const server: FastifyInstance = fastify()

server.register(ratelimit,{
	global: false,
	max: 3000,
	keyGenerator: (req: FastifyRequest): string => {
		return req.headers.authorization
	},
})

server.get('/private', {
	config: {
	  rateLimit: {
		max: 3,
		timeWindow: '1 minute'
	  }
	}
  }, (req, reply) => {
	reply.send({ hello: 'from ... private' })
})

Expected behavior

I expect the ratelimit to be applied.

Your Environment

• node version: 14.16.0
• fastify version: ^3.14.12
• fastifi-ratelimit version: ^5.5.0
• os: Mac
• any other relevant information

☝️ Important announcement: Greenkeeper will be saying goodbye 👋 and passing the torch to Snyk on June 3rd, 2020! Find out how to migrate to Snyk and more at greenkeeper.io

The devDependency knex was updated from 0.20.11 to 0.20.12.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

knex is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

🚀 Feature Proposal

Be a nice enhancement to add the ability to pass in a Store interface which abides by the current constructs of Local/Redis store, i.e. incr method and callback. Easy way to extend for other storage mechanisms without bloating the existing package.

Motivation

There are a lot of memory storage tools out there, as well as traditional ones such as databases, so often adding a new technology into an already established stack can be costly in terms of maintenance, hosting, etc...

Example

function thestore = function(timeWindow, key) {

}
etc...

fastify.register(require('fastify-rate-limit'), {
store: require('./my-custom-store')
})

This means a slightly custom call to the custom-store but otherwise should be a very doable feature.

🚀 Feature Proposal

Implement https://tools.ietf.org/id/draft-polli-ratelimit-headers-00.html

Motivation

Allow clients to avoid being throttled out.

🐛 Bug Report

When routing level whitelist is used, it does not take effect

To Reproduce

Steps to reproduce the behavior:

fastify.get('/private', {
  config: {
    rateLimit: {
      max: 3,
      whitelist: ['127.0.0.1', '127.0.3.1'],
      timeWindow: '1 minute'
    }
  }
}, (req, reply) => {
  reply.send({ hello: 'from ... private' })
})

Your Environment

• node version: v14.4.0
• fastify version: ^3.8.0
• os: Mac
• any other relevant information

☝️ Important announcement: Greenkeeper will be saying goodbye 👋 and passing the torch to Snyk on June 3rd, 2020! Find out how to migrate to Snyk and more at greenkeeper.io

The devDependency ioredis was updated from 4.16.0 to 4.16.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

ioredis is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

🚀 Feature Proposal

It would be really helpful if one could add route based rate limiting without a handler function.

Motivation

I am using Fastify as a gateway in combination with fastify-gateway. With the gateway plugin (fastify-gateway) I can delegate handling to external services. By being able to add route based rate limiter without a handler parameter we can make the fastify-rate-limit plugin usable beyond typical route based rate limiting.

Example

Expected Behaviour:

fastify.register(fastifyRateLimit, { //just as an option
  config: {
    route: '/routeX',
    rateLimit: {
      max: 3,
      timeWindow: '1 minute'
    }
  }
})

Currently, we are returning a POJO (and using a custom serializer) instead of an error object, which means that the .setErrorHandler API won't be called.
This should be considered a bug, as users can't override the default response nor perform custom actions when a 429 error happens.

🐛 Bug Report

When using fastify with ignoreTrailingSlash: false (default), creating routes with prefixing and defining rate limitting for / of prefixed route, each request is counted twice. As I looked deeper into this issue it looks like onRequest handler is added twice - first time when fastify adds route for '' (node_modules\fastify\lib\route.js:163), and second time when it adds route for '/' (node_modules\fastify\lib\route.js:166; fastify-rate-limit onRequest handler seems to already exist in routeOptions then).

To Reproduce

Steps to reproduce the behavior:

  const subroute = async (fst) => {
      fst.register(FastifyRateLimit, {
        max: 60,
        timeWindow: 1000,
        keyGenerator: (req) => {
          console.log('call'); // will be called twice when POST /resource called

          return 'test';
        },
      });

      fst.post('/', {}, (req, res) => {
        res.type('application/json').send({ data: 'test' });
      });
    };

    const app = fastify();

    app.register(subroute, { prefix: '/resource' });

Expected behavior

onRequest called once and each request counted as one.

Your Environment

• node version: 12
• fastify version: 3.9.2
• os: Windows

🚀 Feature Proposal

It would be interesting to rate limit 404s as well. This might be controversial because it's faster to actually return a 404 vs read up the current limit from a database. However it might be a security risk as an attacker could search which routes are available.

Example

  const fastify = Fastify()
  await fastify.register(rateLimit, { global: true, max: 2, timeWindow: 1000 })
  fastify.setNotFoundHandler({
    onRequest: fastify.rateLimit
  }, function (request, reply) {
    reply.code(404).send({ hello: 'world' })
  })
  fastify.get('/', function (request, reply) {
    reply.send({ hello: 'world' })
  })
  await fastify.listen(3000)

I tried to use this rate limiter with fastify server behind the proxy and I found two major problems with the detection of the IP address in following code:

var ip = req.headers['X-Forwarded-For'] || req.connection.remoteAddress

1. All keys in req.headers are in lowercase so the req.headers['X-Forwarded-For'] is always undefined even if the proxy sends the header to the upstream. That means, req.connection.remoteAddress is always used as IP and it's always the same value (the IP of the proxy). This gives an attacker a possibility to make the entire server unavailable for every user.

2. Even if you fix the casing, there is still another issue: You should never use HTTP header as a cache key unless you trust the source. X-Forwarded-For header can be crafted on the client. Imagine your fastify server is publicly available (no proxy in front of it), then following requests from the same client are going to be considered as different:

$ curl -v -H "X-Forwarded-For: a" http://example.com/
X-RateLimit-Limit: 5
X-RateLimit-Remaining: 4

$ curl -v -H "X-Forwarded-For: b" http://example.com/
X-RateLimit-Limit: 5
X-RateLimit-Remaining: 4

$ curl -v -H "X-Forwarded-For: c" http://example.com/
X-RateLimit-Limit: 5
X-RateLimit-Remaining: 4

With this you can bypass the entire rate limiter, by varying the X-Forwarded-For header for each request. The same happens with the proxy in front of it, because proxies usually leave the original X-Forwarded-For header and just append its own IP to the end of the string.

There are few candidates which might suit better for the cache key: e.g. nginx adds X-Real-IP header which is always overridden, or you can use a session ID.

I'd like to propose possible solution: use only req.connection.remoteAddress by default and provide a configurable option for cases when devs want to change the IP detection behavior:

fastify.register(require('fastify-rate-limit'), {
  max: 5,
  timeWindow: '1 minute',
  resolveIpAddress: function (req) {
	return req.headers['x-forwarded-for'];
	// or return req.headers['x-real-ip'];
	// or return req.session.id;
  }
});

And then the implementation:

var ip;
if (typeof opts.resolveIpAddress === "function") {
	ip = opts.resolveIpAddress(req);
}
if (!ip) {
	ip = req.connection.remoteAddress;
}

I can create a PR but first I'd like to hear your opinion.

The devDependency fastify was updated from 2.12.0 to 2.12.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

fastify is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

🐛 Bug Report

When you are using Redis and a custom pre handler in a route, then the rate limiting basically fails.

To Reproduce

Steps to reproduce the behavior:

1. Create a route
2. Create a pre handler method for that route
3. Configure rate limiting via config
4. Fail

Paste your code here:

https://github.com/amir-hadi/fastify-rate-limit/blob/master/test/route-rate-limit.test.js

I forked this repo and added another test case that proves that something is wrong with Redis and a pre handler on the route. Please see the test case in my repo that is failing.

Expected behavior

It should also work with Redis and a pre handler.

Your Environment

• node version: 10.16
• fastify version: >=2.5.0
• os: Mac
• any other relevant information

Any help would be much appreciated. It looks in your preHandler the callback does not wait long enough before calling next. So your pre handler is exiting/returning and your callback is not modifying the response anymore.

Hello, i try use limit on one route but not work
example

fastifyGlobal.register(require('fastify-rate-limit'),
{
    global : false, // default true
    whitelist: [], // default []
})


fastifyGlobal.get('/', {
    config: {
      rateLimit: {
        max: 3,
        timeWindow: '1 minute'
      }
    }
  }, (req, reply) => {
    reply.send({ hello: 'from ... root' })
  })

This code is example from git, not work, request always norm.
If i use global limits WORK! But i no need global limits.
whats a problem?

In docs we have:

fastify.register(require('fastify-rate-limit'), {
  keyGenerator: function(req) { /* ... */ }, // default (req) => req.ip
})

But i had undefined for req.ip. I think it's was changed sometime ago, not sure. Maybe docs should be updated?

  keyGenerator: function(req) {
    console.log(req.ip) //undefined
    console.log(req.raw.ip) //ok
    return req.ip 
  }

In code i can see:

const keyGenerator = typeof opts.keyGenerator === 'function'
    ? opts.keyGenerator
    : (req) => req.raw.ip

And a question. If hooks added onRequest, than there is no way rate limit based on parsed cookies (fastify-cookie)?

Currently the rate limiting is not implemented before auth or body parsing is done. This create potential situations where some load is not shed from the server when it could have been,

It seems CORS Headers doesn't included in error response leading fetch to the following issue:

Access to fetch at 'http://domain.test:3000/test' from origin 'http://domain.test' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

TypeError: Failed to fetch "Failed to fetch"

My question is, Can we have another event option as onError? I mean:

{
  // ....
   onError: function ( /* Fastify response */ res ) {
        // .... magic here
        res.header('X-Custom-Header', 'value');
   },
   // ....
}

The dependency fast-json-stringify was updated from 1.16.2 to 1.16.3.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

fast-json-stringify is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

When using fastify-rate-limit with LocalStore, in a NestFastifyApplication instance:

await app.close() hangs forever as localStore in the onClose hook,does not call done=>

app. addHook('onClose', (done) => {
clearInterval(this.interval);
// missing done();
})