gitfrosh · gitfrosh · Feb 4, 2022 · Nov 26, 2021 · Jan 29, 2022 · Jan 29, 2022
diff --git a/backend/middleware/api.limiter.js b/backend/middleware/api.limiter.js
@@ -0,0 +1,15 @@
+const rateLimit = require("express-rate-limit");
+const apiLimiter = rateLimit({
+    windowMs: 10 * 60 * 1000, // 15 minutes
+    max: 100,
+    // skip limiter for special tokens (e.g. hackathons)
+    // skip: function (req, res) {
+    //   const token = req.header('authorization')?.split(' ')[1];
+    //   if (dpwcToken === token) {
+    //     return true
+    //   }
+    //   return false;
+    // },
+});
+
+module.exports = apiLimiter;
diff --git a/backend/middleware/api.limiter.spec.js b/backend/middleware/api.limiter.spec.js
@@ -0,0 +1,30 @@
+const express = require('express');
+const request = require('supertest');
+
+const app = express();
+const router = express.Router();
+const apiLimiter = require('../middleware/api.limiter');
+
+router.route('/book/').get((req, res) => res.sendStatus(200));
+
+app.use("/v2/", apiLimiter);
+app.use("/v2", router);
+
+describe('api  limiter', () => {
+
+    it('should return 200 OK when rate limit not exceeded', async () => {
+        const response = await request(app).get('/v2/book/');
+        expect(response.statusCode).toEqual(200);
+    });
+
+    it('should respond with 429 Too Many Requests when rate limit exceeded', async () => {
+        const rateLimit = 100;
+
+        let response;
+        for (let i = 0; i <= rateLimit; i++) {
+            response = await request(app).get('/v2/book/');
+        }
+        expect(response.statusCode).toEqual(429);
+        expect(response.text).toEqual('Too many requests, please try again later.');
+    });
+});
diff --git a/backend/middleware/auth.limiter.js b/backend/middleware/auth.limiter.js
@@ -0,0 +1,6 @@
+const rateLimit = require('express-rate-limit');
+
+const authLimiter = (options) => {
+    return rateLimit({ ...options })
+};
+module.exports = authLimiter;
diff --git a/backend/middleware/auth.limiter.spec.js b/backend/middleware/auth.limiter.spec.js
@@ -0,0 +1,33 @@
+const express = require('express');
+const request = require('supertest');
+
+const app = express();
+const router = express.Router();
+const authLimiter = require('../middleware/auth.limiter');
+
+const rateLimit = 1;
+const hourWindow = 60 * 60 * 1000;
+
+router.route('/register').post([authLimiter({ windowMs: hourWindow, max: rateLimit }), (req, res) => res.sendStatus(200)]);
+
+app.use(express.json());
+app.use('/auth', router);
+
+const requestBody = { email: 'fake@email.com', password: 'P@$$1' };
+
+describe('auth limiter', () => {
+
+    it('should return 200 OK when rate limit not exceeded', async () => {
+        const response = await request(app).post('/auth/register/').send(requestBody);
+        expect(response.statusCode).toEqual(200);
+    });
+
+    it('should respond with 429 Too Many Requests when rate limit exceeded', async () => {
+        let response;
+        for (let i = 0; i <= rateLimit; i++) {
+            response = await request(app).post('/auth/register/').send(requestBody);
+        }
+        expect(response.statusCode).toEqual(429);
+        expect(response.text).toEqual('Too many requests, please try again later.');
+    });
+});