Merge pull request #4647 from withspectrum/node-rate-limits

Add request-level rate limiting

Author: mxstbr

api/index.js

@@ -17,6 +17,7 @@ import { init as initPassport } from './authentication.js';
 import apolloServer from './apollo-server';
 import { corsOptions } from 'shared/middlewares/cors';
 import errorHandler from 'shared/middlewares/error-handler';
+import rateLimiter from 'shared/middlewares/rate-limiter';
 import middlewares from './routes/middlewares';
 import authRoutes from './routes/auth';
 import apiRoutes from './routes/api';
@@ -43,6 +44,13 @@ app.use(statsd);
 // Trust the now proxy
 app.set('trust proxy', true);
 app.use(toobusy);
+// Allow bursts of up to 40 req for initial page loads, but block more than 40 / 10s
+app.use(
+  rateLimiter({
+    max: 40,
+    duration: '10s',
+  })
+);
 
 // Security middleware.
 addSecurityMiddleware(app, { enableNonce: false, enableCSP: false });

api/package.json

@@ -92,6 +92,7 @@
     "pre-commit": "^1.2.2",
     "prismjs": "^1.15.0",
     "query-string": "5.1.1",
+    "ratelimiter": "^3.2.0",
     "raven": "^2.6.4",
     "react": "^15.4.1",
     "react-app-rewire-styled-components": "^3.0.2",

api/yarn.lock

@@ -7791,6 +7791,11 @@ range-parser@~1.2.0:
   resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.0.tgz#f49be6b487894ddc40dcc94a322f611092e00d5e"
   integrity sha1-9JvmtIeJTdxA3MlKMi9hEJLgDV4=
 
+ratelimiter@^3.2.0:
+  version "3.2.0"
+  resolved "https://registry.yarnpkg.com/ratelimiter/-/ratelimiter-3.2.0.tgz#ae74cf9629daae4cc8900ec126ab28d3794070f1"
+  integrity sha512-zMc9X4FNmOk3RBxV95lvp13sZRtf43UJJN1FficbYiusBB09zB6gcJtK2X18dKmH+Gq0C7W6qNCHE+UJx0YwVg==
+
 raven@^2.6.4:
   version "2.6.4"
   resolved "https://registry.yarnpkg.com/raven/-/raven-2.6.4.tgz#458d4a380c8fbb59e0150c655625aaf60c167ea3"

flow-typed/npm/ratelimiter_vx.x.x.js

@@ -0,0 +1,45 @@
+// flow-typed signature: cfa8ede682b6042c752a254287cdd11e
+// flow-typed version: <<STUB>>/ratelimiter_vx.x.x/flow_v0.66.0
+
+/**
+ * This is an autogenerated libdef stub for:
+ *
+ *   'ratelimiter'
+ *
+ * Fill this stub out by replacing all the `any` types.
+ *
+ * Once filled out, we encourage you to share your work with the
+ * community by sending a pull request to:
+ * https://github.com/flowtype/flow-typed
+ */
+
+declare module 'ratelimiter' {
+  declare module.exports: any;
+}
+
+/**
+ * We include stubs for each file inside this npm package in case you need to
+ * require those files directly. Feel free to delete any files that aren't
+ * needed.
+ */
+declare module 'ratelimiter/microtime' {
+  declare module.exports: any;
+}
+
+declare module 'ratelimiter/test/index' {
+  declare module.exports: any;
+}
+
+// Filename aliases
+declare module 'ratelimiter/index' {
+  declare module.exports: $Exports<'ratelimiter'>;
+}
+declare module 'ratelimiter/index.js' {
+  declare module.exports: $Exports<'ratelimiter'>;
+}
+declare module 'ratelimiter/microtime.js' {
+  declare module.exports: $Exports<'ratelimiter/microtime'>;
+}
+declare module 'ratelimiter/test/index.js' {
+  declare module.exports: $Exports<'ratelimiter/test/index'>;
+}

hyperion/index.js

@@ -14,6 +14,7 @@ import path from 'path';
 import { getUserById } from 'shared/db/queries/user';
 import Raven from 'shared/raven';
 import toobusy from 'shared/middlewares/toobusy';
+import rateLimiter from 'shared/middlewares/rate-limiter';
 import addSecurityMiddleware from 'shared/middlewares/security';
 
 const PORT = process.env.PORT || 3006;
@@ -28,6 +29,12 @@ app.use(statsd);
 app.set('trust proxy', true);
 
 app.use(toobusy);
+app.use(
+  rateLimiter({
+    max: 5,
+    duration: '20s',
+  })
+);
 
 // Security middleware.
 addSecurityMiddleware(app, { enableNonce: true, enableCSP: true });

package.json

@@ -149,6 +149,7 @@
     "prismjs": "^1.15.0",
     "query-string": "5.1.1",
     "raf": "^3.4.0",
+    "ratelimiter": "^3.2.0",
     "raven": "^2.6.4",
     "react": "^16.7.0-alpha.2",
     "react-apollo": "^2.3.2",
@@ -220,7 +221,7 @@
     "start:analytics": "cross-env NODE_ENV=production node build-analytics/main.js",
     "start:api": "cross-env NODE_ENV=production node build-api/main.js",
     "dev:web": "cross-env NODE_PATH=./ react-app-rewired start",
-    "dev:api": "cross-env FILE_STORAGE=local cross-env NODE_PATH=./ cross-env NODE_ENV=development cross-env DEBUG=build*,api*,shared:rethinkdb:db-query-cache,-api:resolvers cross-env DIR=api backpack",
+    "dev:api": "cross-env FILE_STORAGE=local cross-env NODE_PATH=./ cross-env NODE_ENV=development cross-env DEBUG=build*,api*,shared:rethinkdb:db-query-cache,-api:resolvers,shared:middlewares:ratelimiter cross-env DIR=api backpack",
     "dev:api:s3": "cross-env FILE_STORAGE=s3 cross-env NODE_PATH=./ cross-env NODE_ENV=development cross-env DEBUG=build*,api*,shared:rethinkdb:db-query-cache,-api:resolvers cross-env DIR=api backpack",
     "dev:athena": "cross-env NODE_PATH=./ cross-env NODE_ENV=development cross-env DEBUG=build*,athena*,shared:middlewares*,-athena:resolvers cross-env DIR=athena backpack",
     "dev:hermes": "cross-env NODE_PATH=./ cross-env NODE_ENV=development cross-env DEBUG=build*,hermes*,shared:middlewares*,-hermes:resolvers cross-env DIR=hermes backpack",

shared/middlewares/rate-limiter.js

@@ -0,0 +1,59 @@
+// @flow
+const debug = require('debug')('shared:middlewares:ratelimiter');
+import requestIp from 'request-ip';
+import ms from 'ms';
+import Limiter from 'ratelimiter';
+import createRedis from '../bull/create-redis';
+import Raven from 'shared/raven';
+
+const server = process.env.SENTRY_NAME || 'unnamed';
+const redis = createRedis({
+  keyPrefix: 'request-rate-limit:',
+});
+
+const rateLimiter = ({ max, duration }: { max: number, duration: string }) => {
+  return (
+    req: express$Request,
+    res: express$Response,
+    next: express$NextFunction
+  ) => {
+    // if user is logged in than use their id, otherwise use their ip address
+    const id =
+      req.user && req.user.id ? req.user.id : requestIp.getClientIp(req);
+    const limiter = new Limiter({
+      // $FlowIssue
+      id: `${server}:${id}`,
+      db: redis,
+      max,
+      duration: ms(duration),
+    });
+
+    limiter.get(function(err, limit) {
+      if (err) return next(err);
+
+      const remaining = limit.remaining - 1;
+      res.set('X-RateLimit-Limit', String(limit.total));
+      res.set('X-RateLimit-Remaining', String(remaining));
+      res.set('X-RateLimit-Reset', String(limit.reset));
+
+      const after = (limit.reset - Date.now() / 1000) | 0;
+      const remainingTime = ms(after * 1000, { long: true });
+      debug(
+        '%s of %s requests remaining in the next %s, userId: %s',
+        remaining,
+        limit.total,
+        remainingTime,
+        id
+      );
+      if (limit.remaining) return next();
+
+      const delta = (limit.reset * 1000 - Date.now()) | 0;
+      res.set('Retry-After', String(after));
+      res
+        .status(429)
+        .send('Rate limit exceeded, retry in ' + ms(delta, { long: true }));
+    });
+  };
+};
+
+export default rateLimiter;

yarn.lock

@@ -11773,6 +11773,11 @@ range-parser@^1.0.3, range-parser@~1.2.0:
   resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.0.tgz#f49be6b487894ddc40dcc94a322f611092e00d5e"
   integrity sha1-9JvmtIeJTdxA3MlKMi9hEJLgDV4=
 
+ratelimiter@^3.2.0:
+  version "3.2.0"
+  resolved "https://registry.yarnpkg.com/ratelimiter/-/ratelimiter-3.2.0.tgz#ae74cf9629daae4cc8900ec126ab28d3794070f1"
+  integrity sha512-zMc9X4FNmOk3RBxV95lvp13sZRtf43UJJN1FficbYiusBB09zB6gcJtK2X18dKmH+Gq0C7W6qNCHE+UJx0YwVg==
+
 raven@^2.6.4:
   version "2.6.4"
   resolved "https://registry.yarnpkg.com/raven/-/raven-2.6.4.tgz#458d4a380c8fbb59e0150c655625aaf60c167ea3"