chore/Add-rate-limit (#44)

gabrielmachin · web-flow · commit 3821bd02a032 · 2024-01-16T11:55:42.000-03:00
* chore/Add-rate-limit

* Update README

* Rebase with main

* Fix comments
diff --git a/.env.example b/.env.example
@@ -23,3 +23,4 @@ REDIS_USERNAME=''
 JOBS_RETENTION_HOURS=24
 
 OTP_EXPIRATION_MINUTES=15
+ENABLE_RATE_LIMIT='true'
diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml
@@ -30,6 +30,7 @@ env:
   REDIS_USERNAME: 'default'
   JOBS_RETENTION_HOURS: '24'
   OTP_EXPIRATION_MINUTES: '15'
+  ENABLE_RATE_LIMIT: 'true'
 
 jobs:
   build:
diff --git a/.woodpecker/.backend-ci.yml b/.woodpecker/.backend-ci.yml
@@ -22,6 +22,7 @@ x-common: &common
     - REDIS_USERNAME=default
     - JOBS_RETENTION_HOURS=24
     - OTP_EXPIRATION_MINUTES=15
+    - ENABLE_RATE_LIMIT=true
 
 pipeline:
   setup:
diff --git a/README.md b/README.md
@@ -95,3 +95,7 @@ In fact, the Dockerfile has instructions only for generating the production-read
 ### BullMQ worker
 * To add a new worker we just need to create a `new Worker()` object in the worker folder and pass a queue name to pick up tasks from.
 * To schedule a new job in the queue we need to create a `new Queue()` object in the queue folder and pass it a queue name to schedule tasks in. Any metadata for the task should be pass as a JSON, e.g `queue.add('job_name', { ...params }, options);`.
+
+### Rate limit
+* To use express rate limit set the `ENABLE_RATE_LIMIT` env var to true otherwise rate limits will dependant on the nginx configuration.
+* To add a new rate limit we need to create a new `rateLimit` object and then assign it to an endpoint e.g `app.use('v1/auth/register', rateLimit)`. For more info check out the [express-rate-limit docs](https://express-rate-limit.mintlify.app/overview).
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -74,7 +74,7 @@
     "dotenv": "^16.0.0",
     "dotenv-cli": "^7.3.0",
     "express": "^4.17.1",
-    "express-rate-limit": "^6.3.0",
+    "express-rate-limit": "^7.1.5",
     "helmet": "^7.0.0",
     "http-status": "^1.5.0",
     "ioredis": "^5.3.2",
@@ -88,6 +88,7 @@
     "nodemon": "^3.0.1",
     "prisma": "^5.5.2",
     "pug": "^3.0.2",
+    "rate-limit-redis": "^4.2.0",
     "swagger-ui-express": "^5.0.0",
     "tsconfig-paths": "^4.1.2",
     "tsoa": "^5.1.1",
diff --git a/src/config/config.ts b/src/config/config.ts
@@ -54,6 +54,7 @@ const envVarsSchema = z
         (val) => !Number.isNaN(val),
         'OTP EXPIRATION TIME must be a number',
       ),
+    ENABLE_RATE_LIMIT: z.string(),
   })
   .passthrough();
 
@@ -62,6 +63,8 @@ const envVars = envVarsSchema.parse(process.env);
 export const isDevelopment = envVars.NODE_ENV === 'development';
 export const isTest = envVars.NODE_ENV === 'test';
 export const isProduction = envVars.NODE_ENV === 'production';
+export const hasToApplyRateLimit =
+  envVars.ENABLE_RATE_LIMIT.toLocaleLowerCase() === 'true';
 
 export const config: Config = {
   env: envVars.NODE_ENV,
diff --git a/src/middlewares/index.ts b/src/middlewares/index.ts
@@ -2,7 +2,7 @@ import express, { Application } from 'express';
 import helmet from 'helmet';
 import compression from 'compression';
 import cors from 'cors';
-import { globalLimiter } from 'middlewares/rateLimiter';
+import { applyRateLimit } from 'middlewares/rateLimiter';
 import { morganHandlers } from 'config/morgan';
 import { errorConverter, errorHandler } from 'middlewares/error';
 import { Wrapper } from 'types';
@@ -24,7 +24,7 @@ export const preRoutesMiddleware = (app: Application) => {
   app.use(cors());
 
   // Limit requests from same IP
-  app.use(globalLimiter);
+  applyRateLimit(app);
 
   // Load Morgan handlers
   app.use(morganHandlers.successHandler);
diff --git a/src/middlewares/rateLimiter.ts b/src/middlewares/rateLimiter.ts
@@ -1,7 +1,21 @@
+import { Application } from 'express';
 import rateLimit from 'express-rate-limit';
+import { RedisStore } from 'rate-limit-redis';
 
-export const globalLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000,
-  max: 20,
-  skipSuccessfulRequests: true,
+import { redisConnection } from 'utils/redis';
+import { hasToApplyRateLimit } from 'config/config';
+
+// Defaults to window of 1 minute and a limit of 5 connections
+const authLimiter = rateLimit({
+  store: new RedisStore({
+    // @ts-expect-error - Known issue: the `call` function is not present in @types/ioredis
+    sendCommand: (...args: string[]) => redisConnection.call(...args),
+  }),
 });
+
+export const applyRateLimit = (app: Application) => {
+  if (hasToApplyRateLimit) {
+    // This will make all the routes under the auth controller share the same rate limit
+    app.use('*/auth/', authLimiter);
+  }
+};
diff --git a/src/utils/redis.ts b/src/utils/redis.ts
@@ -7,7 +7,6 @@ const workerConnectionOptions = {
   password: config.redisPassword,
   username: config.redisUsername,
   maxRetriesPerRequest: null,
-  enableOfflineQueue: false,
   showFriendlyErrorStack: !isProduction,
 } as RedisOptions;
 

Original file line number	Diff line number	Diff line change
`@@ -23,3 +23,4 @@ REDIS_USERNAME=''`
`23`	`23`	`JOBS_RETENTION_HOURS=24`
`24`	`24`
`25`	`25`	`OTP_EXPIRATION_MINUTES=15`
	`26`	`+ENABLE_RATE_LIMIT='true'`