Feature/rlm common rate limiter (#1090)

* feat: added package node-rate-limiter-flexible

* feat: rate limiting response constants

* feat: added test cases for common rate limiter

* feat: added common rate limiter

* refactor: rate limiter import fixed

Author: bajajcodes

constants/rateLimiting.js

@@ -0,0 +1,8 @@
+const TOO_MANY_REQUESTS = {
+  ERROR_TYPE: "Too Many Requests",
+  STATUS_CODE: 429,
+};
+
+module.exports = {
+  TOO_MANY_REQUESTS,
+};

middlewares/rateLimiting.js

@@ -0,0 +1,52 @@
+const { RateLimiterMemory } = require("rate-limiter-flexible");
+const { TOO_MANY_REQUESTS } = require("../constants/rateLimiting");
+const { getRetrySeconds } = require("../utils/rateLimiting");
+
+// INFO: temporarily added here, will be take from env-var/config
+const opts = {
+  keyPrefix: "commonRateLimiter--login_fail_by_ip_per_minute",
+  points: 5,
+  duration: 30,
+  blockDuration: 60 * 10,
+};
+const globalRateLimiter = new RateLimiterMemory(opts);
+
+/**
+ * @param req object represents the HTTP request and has property for the request ip address
+ * @param res object represents the HTTP response that app sends when it get an HTTP request
+ * @param next indicates the next middelware function
+ * @returns Promise, which:
+ *  - `resolved`  with next middelware function call `next()`
+ *  - `resolved`  with response status set to 429 and message `Too Many Requests`  */
+async function commonRateLimiter(req, res, next) {
+  // INFO: get the clientIP when running behind a proxy
+  const ipAddress = req.headers["x-forwarded-for"] || req.socket.remoteAddress;
+  let retrySeconds = 0;
+  try {
+    const responseGlobalRateLimiter = await globalRateLimiter.get(ipAddress);
+    if (responseGlobalRateLimiter && responseGlobalRateLimiter.consumedPoints > opts.points) {
+      retrySeconds = getRetrySeconds(responseGlobalRateLimiter.msBeforeNext);
+    }
+    if (retrySeconds > 0) {
+      throw Error();
+    }
+    await globalRateLimiter.consume(ipAddress);
+    return next();
+  } catch (error) {
+    // INFO: sending raw seconds in response,``
+    // for letting API user decide how to represent this number.
+    retrySeconds = getRetrySeconds(error?.msBeforeNext, retrySeconds);
+    res.set({
+      "Retry-After": retrySeconds,
+      "X-RateLimit-Limit": opts.points,
+      "X-RateLimit-Remaining": error?.remainingPoints ?? 0,
+      "X-RateLimit-Reset": new Date(Date.now() + error?.msBeforeNext),
+    });
+    const message = `${TOO_MANY_REQUESTS.ERROR_TYPE}: Retry After ${retrySeconds} seconds, requests limit reached`;
+    return res.status(TOO_MANY_REQUESTS.STATUS_CODE).json({ message });
+  }
+}
+
+module.exports = {
+  commonRateLimiter,
+};

package.json

@@ -34,6 +34,7 @@
     "newrelic": "^9.0.0",
     "passport": "^0.6.0",
     "passport-github2": "^0.1.12",
+    "rate-limiter-flexible": "^2.4.1",
     "winston": "^3.3.3"
   },
   "devDependencies": {

test/unit/middlewares/rateLimiting.test.js

@@ -0,0 +1,77 @@
+const sinon = require("sinon");
+const { TOO_MANY_REQUESTS } = require("../../../constants/rateLimiting");
+const { commonRateLimiter } = require("../../../middlewares/rateLimiting");
+
+function mockRequest(ipAddress) {
+  return {
+    headers: {
+      "x-forwarded-for": ipAddress,
+    },
+    socket: {
+      remoteAddress: ipAddress,
+    },
+  };
+}
+
+function mockResponse(sandbox) {
+  const res = {};
+  res.status = sandbox.stub().returns(res);
+  res.json = sandbox.stub().returns(res);
+  res.set = sandbox.stub().returns(res);
+  return res;
+}
+
+describe("Rate Limting Middelware", function () {
+  let req;
+  let res;
+  let next;
+  let sandbox;
+
+  beforeEach(function () {
+    sandbox = sinon.createSandbox();
+    req = mockRequest("127.0.0.1");
+    res = mockResponse(sandbox);
+    next = sandbox.stub();
+  });
+
+  afterEach(function () {
+    sandbox.restore();
+  });
+
+  it("Should call the next middelware if the request count is under the limit", async function () {
+    await commonRateLimiter(req, res, next);
+    sinon.assert.calledOnce(next);
+  });
+
+  it("Should return 429 status code and message `Too many requests` if the request count exceeds the limit", async function () {
+    const promises = [];
+    for (let index = 0; index < 10; ++index) {
+      const promise = commonRateLimiter(req, res, next);
+      promises.push(promise);
+    }
+    await Promise.all(promises);
+    sinon.assert.calledWithMatch(res.status, TOO_MANY_REQUESTS.STATUS_CODE);
+  });
+
+  it("Should reset the request count after duration has passed", async function () {
+    const promises = [];
+    for (let index = 0; index < 10; ++index) {
+      const promise = commonRateLimiter(req, res, next);
+      promises.push(promise);
+    }
+    await Promise.all(promises);
+    sinon.assert.calledWithMatch(res.status, TOO_MANY_REQUESTS.STATUS_CODE);
+
+    /**
+     INFO[no-reasoning-only-assumption]:
+     using setTimeout instead of sinon.FakeTimers,
+     because clock was ticking for expected duration but
+     key was not getting deleted from middelware store
+     */
+    setTimeout(async () => {
+      await commonRateLimiter(req, res, next);
+      sinon.assert.neverCalledWithMatch(res.status, TOO_MANY_REQUESTS.STATUS_CODE);
+      sinon.assert.calledOnce(next);
+    }, 1000);
+  });
+});

utils/rateLimiting.js

@@ -0,0 +1,13 @@
+/**
+ * @param msBeforeNext
+ * @param fallbackValue seconds value to fallback on if `msBeforeNext` is falsy
+ * @returns retrySeconds: number of seconds to wait before making next request
+ */
+function getRetrySeconds(msBeforeNext, fallbackValue = 1) {
+  if (!msBeforeNext) return fallbackValue;
+  return Math.round(msBeforeNext / 1000) || fallbackValue;
+}
+
+module.exports = {
+  getRetrySeconds,
+};