request-throttler
Middleware to throttle requests by a single use/set of users. Helpful in reducing server load, preventing datamining, and stifling brute force attacks.
If a given user goes above the allowed requestsPerSecond
, a 503 is returned for every request until the average drops. User state and request count is kept int the redis database and reset after timeToLive
seconds. The user request count is stored in a redis database, specified during configuration.
It's important to note that the count can only be updated as fast as the redis database allows access. if two requests come in at the same time, the count will only be increased by one.
Note: The --harmony
flag is required for both koa and express
Key
Usage
koa
app;
express
app;
Duck type
// app is express or koa
Configuration
config.host
- Optional
- The host where the redis database can be accessed
- Default:
127.0.0.1
confighost = 127001
config.port
- Optional
- The port where the redis database can be accessed
- Default:
6379
configport = 6379
config.requestsPerSecond
- Required
- The number of request per second allowed by a user
- Make sure to base this on uniqueness of the fingerprint
configrequestsPerSecond = 30;
config.timeToLive
- Required
- The lifespan (in seconds) of the fingerprint store
- Lower lifespan will cause faster fingerprint expiration and cut down on storage size
- Higher lifespan will allow a users request to normalize over time (bursts will be less likely to throttle the user)
configtimeToLive = 60;
config.throttler
- Optional
- The handler called when a user is throttled
- Default: sends a 503 and generic
Service unavailable
message
// expressconfig { console; resstatus503;} //koaconfig { console; thisstatus = 500; thisbody = 'Internal server error' }
config.error
- Optional
- The handler called if an error occurs
- Default: sends a 500 and generic
Internal server error
message
// expressconfig { console; resstatus500;} //koaconfig { console; thisstatus = 500; thisbody = 'Internal server error' }
Customization
Redis Workarounds
The redis store methods and be overridden, and redis can be removed entirely if desired. The following methods should be used
config.client
- Must be an object with
get(stringKey, callback)
andset(stringKey, stringValue, callback)
configclient = { return ; } { return ; }
config.getFingerprint
- Generator function to get a fingerprint
config { ;}
config.setFingerprint
- Generator function to set a fingerprint
config { ;}