fix: rate-limit when max is 0 (#652)

BobDu · web-flow · commit 95b499f3377c · 2025-12-04T14:36:33.000+08:00
Signed-off-by: Bob Du &lt;i@bobdu.cc&gt;
diff --git a/service/src/middleware/limiter.ts b/service/src/middleware/limiter.ts
@@ -1,3 +1,5 @@
+import type { RequestHandler } from 'express'
+import type { Options } from 'express-rate-limit'
 import * as process from 'node:process'
 import * as dotenv from 'dotenv'
 import { rateLimit } from 'express-rate-limit'
@@ -9,15 +11,38 @@ dotenv.config()
 const MAX_REQUEST_PER_HOUR = process.env.MAX_REQUEST_PER_HOUR
 const AUTH_MAX_REQUEST_PER_MINUTE = process.env.AUTH_MAX_REQUEST_PER_MINUTE
 
-const maxCount = (isNotEmptyString(MAX_REQUEST_PER_HOUR) && !Number.isNaN(Number(MAX_REQUEST_PER_HOUR)))
-  ? Number.parseInt(MAX_REQUEST_PER_HOUR)
-  : 0 // 0 means unlimited
-const authMaxCount = (isNotEmptyString(AUTH_MAX_REQUEST_PER_MINUTE) && !Number.isNaN(Number(AUTH_MAX_REQUEST_PER_MINUTE)))
-  ? Number.parseInt(AUTH_MAX_REQUEST_PER_MINUTE)
-  : 0 // 0 means unlimited
-const limiter = rateLimit({
+function parsePositiveInt(value?: string | null): number | null {
+  if (!isNotEmptyString(value)) {
+    return null
+  }
+
+  const parsedValue = Number.parseInt(value, 10)
+
+  return Number.isNaN(parsedValue) || parsedValue <= 0 ? null : parsedValue
+}
+
+const noopLimiter: RequestHandler = (_req, _res, next) => {
+  next()
+}
+
+type LimiterOptions = Partial<Omit<Options, 'limit' | 'max'>>
+
+function buildLimiter(
+  count: number | null,
+  options: LimiterOptions,
+): RequestHandler {
+  if (!count) {
+    return noopLimiter
+  }
+
+  return rateLimit({
+    ...options,
+    limit: count,
+  })
+}
+
+const limiter = buildLimiter(parsePositiveInt(MAX_REQUEST_PER_HOUR), {
   windowMs: 60 * 60 * 1000, // Maximum number of accesses within an hour
-  max: maxCount,
   statusCode: 200, // 200 means success，but the message is 'Too many request from this IP in 1 hour'
   keyGenerator: (req, _) => {
     return requestIp.getClientIp(req) // IP address from requestIp.mw(), as opposed to req.ip
@@ -26,9 +51,9 @@ const limiter = rateLimit({
     res.send({ status: 'Fail', message: 'Too many request from this IP in 1 hour', data: null })
   },
 })
-const authLimiter = rateLimit({
+
+const authLimiter = buildLimiter(parsePositiveInt(AUTH_MAX_REQUEST_PER_MINUTE), {
   windowMs: 60 * 1000, // Maximum number of accesses within a minute
-  max: authMaxCount,
   statusCode: 200, // 200 means success，but the message is 'Too many request from this IP in 1 minute'
   keyGenerator: (req, _) => {
     return requestIp.getClientIp(req) // IP address from requestIp.mw(), as opposed to req.ip
