feat: add slow down middleware (github#26207)

* feat: add slow down middleware

Co-authored-by: Peter Bengtsson <[email protected]>

Author: mikesurowiec

docker-compose.prod.tmpl.yaml

@@ -17,6 +17,7 @@ services:
       ENABLED_LANGUAGES: ${ENABLED_LANGUAGES}
       DEPLOYMENT_ENV: ${DEPLOYMENT_ENV}
       RATE_LIMIT_MAX: ${RATE_LIMIT_MAX}
+      SLOW_DOWN_MAX: ${SLOW_DOWN_MAX}
       HEROKU_PRODUCTION_APP: true
       PORT: 4000
       DD_AGENT_HOST: datadog-agent

middleware/index.js

@@ -9,6 +9,7 @@ import timeout from './timeout.js'
 import morgan from 'morgan'
 import datadog from './connect-datadog.js'
 import rateLimit from './rate-limit.js'
+import slowDown from './slow-down.js'
 import cors from './cors.js'
 import helmet from 'helmet'
 import csp from './csp.js'
@@ -212,6 +213,7 @@ export default function (app) {
   }
 
   // *** Early exits ***
+  app.use(slowDown)
   app.use(rateLimit)
   app.use(instrument(handleInvalidPaths, './handle-invalid-paths'))
   app.use(asyncMiddleware(instrument(handleNextDataPath, './handle-next-data-path')))

middleware/slow-down.js

@@ -0,0 +1,20 @@
+import slowDown from 'express-slow-down'
+import statsd from '../lib/statsd.js'
+
+const MAX = process.env.SLOW_DOWN_MAX ? parseInt(process.env.SLOW_DOWN_MAX, 10) : 10000
+if (isNaN(MAX)) {
+  throw new Error(`process.env.SLOW_DOWN_MAX (${process.env.SLOW_DOWN_MAX}) not a number`)
+}
+
+export default slowDown({
+  windowMs: 1 * 60 * 1000, // 1 minute window
+  delayAfter: MAX, // allow MAX requests to go at full-speed, then...
+  delayMs: 100, // MAX+1 request has a 100ms delay, MAX+2 has a 200ms delay, MAX+3 has 300ms, etc.
+  maxDelayMs: 9 * 1000, // slightly less than our Express timeout handler
+
+  // Function to listen the first time the limit is reached within windowMs. Defaults:
+  onLimitReached: (request) => {
+    const tags = [`url:${request.url}`, `ip:${request.ip}`]
+    statsd.increment('middleware.slow_down', 1, tags)
+  },
+})

package-lock.json

@@ -29,6 +29,7 @@
     "dotenv": "^10.0.0",
     "express": "^4.17.2",
     "express-rate-limit": "^6.0.4",
+    "express-slow-down": "^1.4.0",
     "express-timeout-handler": "^2.2.2",
     "flat": "^5.0.2",
     "github-slugger": "^1.4.0",