Block request coming from hostname?

[hnqlv]

First of all, really good project @nfriedly 🙌

I just released this project heymoji.cool. The problem I'm facing right now is because you can embed heymoji using iframe I can't just block by IP. Otherwise when I hit the limit I can't "vote" in other sites as well.

Trying to find a way where I can detect the requests coming from X and block it by hostname. So if I hit the fire emoji 100 time on a.com the limit is set, however I still can go to b.com and vote there.

Does it make sense? Do you have any suggestion?

Cheers

[nfriedly]

hey @henriquea I think I follow what you're talking about, it sounds like you're trying to use this for the "business logic" of your app, limiting how many times a user can cast a vote on a given instance of the widget, correct?

That's not really what express-rate-limit is designed for - it's intended to block/slow down abusive end-users. So if a user is abusing your project on a.com by voting a bajillion times, you would probably also want to block that user on b.com, right?

You're welcome to fork the code and adjust it to do your business logic - I think you could just change line 37 to

 var ip = req.ip + '-' + req.query.url;

But that will automatically reset after a while, so it might not be what you actually want.

Or am I misunderstanding you entirely?

[hnqlv]

Thanks for the quick response @nfriedly 😎

Yes exactly! It's hard to come up with a limit number. Let's say this gets popular and is in a lot of posts. I might read ~20 articles during the day, if each article has 5 widgets isn't that hard to hit 100 requests.

So if a user is abusing your project on a.com by voting a bajillion times, you would probably also want to block that user on b.com, right?

You made a fair point I agree. I wouldn't mind if reset after a while, I think this is the right behaviour.

Cheers

[hnqlv]

@nfriedly closing this issue now, since we have an alternative. Thanks again!