default key req.ip doesn't work with Next.js

[swalker-888]

Hello,

I'm using express-rate-limit for my Next.js API as a middleware. I encountered an issue where the key was being stored as 'undefined', I discovered that this is because the default key generator - 'req.ip' doesn't exist in Next, causing the undefined entry.

I've gotten around this by using the following option with the limiter:

  keyGenerator: function (req /*, res*/) {
    return req.headers["x-forwarded-for"] || req.connection.remoteAddress;
  }

Obviously the package is originally intended for express so understand why the key generator would default to req.ip, but due to it being very popular and many SO posts referencing it as a good option for a Next middleware maybe this should be included in the docs as a heads up?

[nfriedly]

Yea, that means it's probably not using express under-the-hood, as req.ip is one of the goodies that express adds.

I wonder if maybe next.js used to but doesn't any more?

I think I'm going to tweak the default keyGenerator function to throw an error if req.ip is undefined.

---

Also, be careful with your implementation - an attacker could add an x-forwarded-for header with a random IP that changes on each request, and essentially bypass your rate-limiting entirely.

Express's app.set('trust proxy', 1); setting means that it would accept 1 of these headers from your real reverse proxy, but then ignore all others. (I believe node.js will concatenate them if there are multiple - see https://nodejs.org/api/http.html#http_message_headers .)

[swalker-888]

that's great thank you. Good point i'll look into the headers again.