✨ Add rate and speed limiting

Author: AnandChowdhary

package.json

@@ -38,6 +38,7 @@
     "@types/dotenv": "^6.1.1",
     "@types/express": "^4.16.1",
     "@types/express-brute": "^0.0.37",
+    "@types/express-slow-down": "^1.1.0",
     "@types/fs-extra": "^7.0.0",
     "@types/geolite2": "^1.2.0",
     "@types/hapi__joi": "^15.0.1",
@@ -78,6 +79,8 @@
     "express": "^4.17.0",
     "express-async-handler": "^1.1.4",
     "express-brute": "^1.0.1",
+    "express-rate-limit": "^4.0.3",
+    "express-slow-down": "^1.3.1",
     "fs-extra": "^8.0.1",
     "geolite2": "^1.2.1",
     "googleapis": "^40.0.0",

src/config.ts

@@ -4,12 +4,29 @@ config();
 // Server
 export const PORT = process.env.PORT ? parseInt(process.env.PORT) : 7007;
 export const SENTRY_DSN = process.env.SENTRY_DSN || "";
+
+// Rate limiting
 export const BRUTE_FREE_RETRIES = process.env.BRUTE_FREE_RETRIES
   ? parseInt(process.env.BRUTE_FREE_RETRIES)
   : 10;
 export const BRUTE_LIFETIME = process.env.BRUTE_LIFETIME
   ? parseInt(process.env.BRUTE_LIFETIME)
   : 300000;
+export const RATE_LIMIT_TIME = process.env.RATE_LIMIT_TIME
+  ? parseInt(process.env.RATE_LIMIT_TIME)
+  : 60000; // 1 minute
+export const RATE_LIMIT_MAX = process.env.RATE_LIMIT_MAX
+  ? parseInt(process.env.RATE_LIMIT_MAX)
+  : 200; // Max 200 requests/minute from an IP
+export const SPEED_LIMIT_TIME = process.env.SPEED_LIMIT_TIME
+  ? parseInt(process.env.SPEED_LIMIT_TIME)
+  : 600000; // 10 minutes
+export const SPEED_LIMIT_DELAY = process.env.SPEED_LIMIT_DELAY
+  ? parseInt(process.env.SPEED_LIMIT_DELAY)
+  : 100; // 100ms per request delay
+export const SPEED_LIMIT_COUNT = process.env.SPEED_LIMIT_COUNT
+  ? parseInt(process.env.SPEED_LIMIT_COUNT)
+  : 1000; // Start delaying after 1000 requests
 
 // Database
 export const DB_HOST = process.env.DB_HOST || "localhost";

src/helpers/middleware.ts

@@ -1,14 +1,33 @@
 import { Request, Response, NextFunction } from "express";
 import Brute from "express-brute";
+import { RateLimit } from "express-rate-limit";
+import slowDown from "express-slow-down";
 import { safeError } from "./errors";
 import { verifyToken } from "./jwt";
 import { ErrorCode, Tokens } from "../interfaces/enum";
-import { BRUTE_LIFETIME, BRUTE_FREE_RETRIES } from "../config";
+import {
+  BRUTE_LIFETIME,
+  BRUTE_FREE_RETRIES,
+  RATE_LIMIT_MAX,
+  RATE_LIMIT_TIME,
+  SPEED_LIMIT_DELAY,
+  SPEED_LIMIT_COUNT,
+  SPEED_LIMIT_TIME
+} from "../config";
 const store = new Brute.MemoryStore();
 const bruteForce = new Brute(store, {
   freeRetries: BRUTE_FREE_RETRIES,
   lifetime: BRUTE_LIFETIME
 });
+const rateLimiter = RateLimit({
+  windowMs: RATE_LIMIT_TIME,
+  max: RATE_LIMIT_MAX
+});
+const speedLimiter = slowDown({
+  windowMs: SPEED_LIMIT_TIME,
+  delayAfter: SPEED_LIMIT_COUNT,
+  delayMs: SPEED_LIMIT_DELAY
+});
 
 /**
  * Handle any errors for Express
@@ -75,3 +94,13 @@ export const authHandler = async (
  * Brute force middleware
  */
 export const bruteForceHandler = bruteForce.prevent;
+
+/**
+ * Rate limiting middleware
+ */
+export const rateLimitHandler = rateLimiter;
+
+/**
+ * Speed limiting middleware
+ */
+export const speedLimitHandler = speedLimiter;

src/server.ts

@@ -7,7 +7,12 @@ import responseTime from "response-time";
 import { json, urlencoded } from "body-parser";
 import { Server } from "@overnightjs/core";
 import { UserController } from "./controllers/user";
-import { errorHandler, trackingHandler } from "./helpers/middleware";
+import {
+  errorHandler,
+  trackingHandler,
+  rateLimitHandler,
+  speedLimitHandler
+} from "./helpers/middleware";
 import { OrganizationController } from "./controllers/organization";
 import { AdminController } from "./controllers/admin";
 import { AuthController } from "./controllers/auth";
@@ -38,6 +43,8 @@ export class Staart extends Server {
     this.app.use(urlencoded({ extended: true }));
     this.app.use(responseTime());
     this.app.use(trackingHandler);
+    this.app.use(rateLimitHandler);
+    this.app.use(speedLimitHandler);
   }
 
   private setupControllers() {

yarn.lock

@@ -1121,6 +1121,13 @@
     "@types/node" "*"
     "@types/range-parser" "*"
 
+"@types/express-slow-down@^1.1.0":
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/@types/express-slow-down/-/express-slow-down-1.1.0.tgz#bbca86683d86dc21d740aa6e336fba4dc1e77309"
+  integrity sha512-216eW7oONH1L1dddDO4cv9bdZzakSJylBxC3Yxkx6j8k4bc/c8PSlszIFq7yKQHqeA1vloyxAc50qwTxUGCTqg==
+  dependencies:
+    "@types/express" "*"
+
 "@types/express@*", "@types/express@^4.16.1":
   version "4.16.1"
   resolved "https://registry.yarnpkg.com/@types/express/-/express-4.16.1.tgz#d756bd1a85c34d87eaf44c888bad27ba8a4b7cf0"
@@ -1978,6 +1985,11 @@ clone@2.x:
   resolved "https://registry.yarnpkg.com/clone/-/clone-2.1.2.tgz#1b7f4b9f591f1e8f83670401600345a02887435f"
   integrity sha1-G39Ln1kfHo+DZwQBYANFoCiHQ18=
 
+clone@^1.0.2:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/clone/-/clone-1.0.4.tgz#da309cc263df15994c688ca902179ca3c7cd7c7e"
+  integrity sha1-2jCcwmPfFZlMaIypAheco8fNfH4=
+
 co@^4.6.0:
   version "4.6.0"
   resolved "https://registry.yarnpkg.com/co/-/co-4.6.0.tgz#6ea6bdf3d853ae54ccb8e47bfa0bf3f9031fb184"
@@ -2289,6 +2301,13 @@ deep-is@~0.1.3:
   resolved "https://registry.yarnpkg.com/deep-is/-/deep-is-0.1.3.tgz#b369d6fb5dbc13eecf524f91b070feedc357cf34"
   integrity sha1-s2nW+128E+7PUk+RsHD+7cNXzzQ=
 
+defaults@^1.0.3:
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/defaults/-/defaults-1.0.3.tgz#c656051e9817d9ff08ed881477f3fe4019f3ef7d"
+  integrity sha1-xlYFHpgX2f8I7YgUd/P+QBnz730=
+  dependencies:
+    clone "^1.0.2"
+
 define-properties@^1.1.2:
   version "1.1.3"
   resolved "https://registry.yarnpkg.com/define-properties/-/define-properties-1.1.3.tgz#cf88da6cbee26fe6db7094f61d870cbd84cee9f1"
@@ -2605,6 +2624,18 @@ express-brute@^1.0.1:
     long-timeout "~0.1.1"
     underscore "~1.8.3"
 
+express-rate-limit@^4.0.3:
+  version "4.0.3"
+  resolved "https://registry.yarnpkg.com/express-rate-limit/-/express-rate-limit-4.0.3.tgz#70ec815f6ba2d6a62400c8a7bd341c420b4330cc"
+  integrity sha512-9+v6DXQdLLd4EqdEkXXM1ctdVNgjw4w8V1WLvlpnIb2SZ5wJ3Kvu8FOMzBPIAX+iO1F24AG640eOOHCv/0GmKg==
+
+express-slow-down@^1.3.1:
+  version "1.3.1"
+  resolved "https://registry.yarnpkg.com/express-slow-down/-/express-slow-down-1.3.1.tgz#0458bb8670ea1cbedaa00bae4293024ee4e9445e"
+  integrity sha512-mkxVJt3z2e0/LIVp144xpaPw8Ku2f6XS9ftjgwMsUtp+4a84hk6NI6/KTEPkq1kjCsJuXeG6SA/izCWxaErBdg==
+  dependencies:
+    defaults "^1.0.3"
+
 express@^4.16.3, express@^4.17.0:
   version "4.17.1"
   resolved "https://registry.yarnpkg.com/express/-/express-4.17.1.tgz#4491fc38605cf51f8629d39c2b5d026f98a4c134"