Bad Actor Split and many new features/fixes

[asilvas-godaddy]

• Feature hitRatio has been replaced by hostBadActorSplit and
  ipBadActorSplit so that we're throttling the top offenders regardless
  if they hit an arbitrary percentage of traffic
• Feature Support for TypeScript has modern language features
• Feature Support for waitForHistory (enabled by default) which
  prevents userLag from being triggered prematurely before we have
  sufficient evidence/history
• Feature Official pre-request bad actor support (such as TLS SNI)
• Fix Calling isBadHost or isBadIp will now update history.
  This will make for more accurate bad actor detection for scenarios that
  leverage pre-request tracking (such as TLS SNI) in cases that result
  in large volumes of pre-middlware rejections
• Feature Support for hostWhitelist and ipWhitelist options
  if you want to prevent certains hosts or IP's from ever being blocked
• Feature Full test suite (that should have been in 1.0!)

Philosophy
The basic idea is that for a given tracking window that we identify
the TOP OFFENDERS, regardless of ratios. During nominal windows
bad actors are irrelevant as they won't be looked at until the system
becomes too busy. But during an attack window, we want to be on the
lookout for as many possible actors as the amount of throughput
reduction desired is substantial. The default BadActorSplit of 0.5
simply means that we consider the most active 50% of traffic to
be susceptible to throttling.

Future
There is an opportunity to support tiered throttling so the
aggressiveness of the throttling is porportional to how busy the system
becomes. For example, instead of a flat 50% split @ 70ms lag, it could
look something like:
* 10% split @ 70ms
* 20% split @ 80ms
* ...
* 90% split @ 160ms

  If this pattern ends up being necessary, it can/should replace the
  need for `userLag` as well.

[cling-godaddy]

nit: could DRY into getTopOffenders(records, split) { ... }

[cling-godaddy]

nit: maybe some more use of literal types
shouldThrottleRequest(req): BadActorType | 'userLag' | false

[cling-godaddy]

could timestamps be helpful? to help track snapshots and differentiate between spikes and slow buildups

[asilvas-godaddy]

Not with the current algorithm since it uses a sliding window of time. But future versions might use a progressive algorithm and have need for time. We might even be able to move away from N requests and use a time window instead, but out of scope for this PR.

[chinrichs-godaddy]

Nice

[sleparc-godaddy]

👍

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication