You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using express-rate-limit for my Next.js API as a middleware. I encountered an issue where the key was being stored as 'undefined', I discovered that this is because the default key generator - 'req.ip' doesn't exist in Next, causing the undefined entry.
I've gotten around this by using the following option with the limiter:
Obviously the package is originally intended for express so understand why the key generator would default to req.ip, but due to it being very popular and many SO posts referencing it as a good option for a Next middleware maybe this should be included in the docs as a heads up?
The text was updated successfully, but these errors were encountered:
Yea, that means it's probably not using express under-the-hood, as req.ip is one of the goodies that express adds.
I wonder if maybe next.js used to but doesn't any more?
I think I'm going to tweak the default keyGenerator function to throw an error if req.ip is undefined.
Also, be careful with your implementation - an attacker could add an x-forwarded-for header with a random IP that changes on each request, and essentially bypass your rate-limiting entirely.
Express's app.set('trust proxy', 1); setting means that it would accept 1 of these headers from your real reverse proxy, but then ignore all others. (I believe node.js will concatenate them if there are multiple - see https://nodejs.org/api/http.html#http_message_headers .)
Hello,
I'm using express-rate-limit for my Next.js API as a middleware. I encountered an issue where the key was being stored as 'undefined', I discovered that this is because the default key generator - 'req.ip' doesn't exist in Next, causing the undefined entry.
I've gotten around this by using the following option with the limiter:
Obviously the package is originally intended for express so understand why the key generator would default to req.ip, but due to it being very popular and many SO posts referencing it as a good option for a Next middleware maybe this should be included in the docs as a heads up?
The text was updated successfully, but these errors were encountered: