Can I set multiple rate limits for the same routes with express-rate-limit?
Question
Can I set a global rateLimit for my express server and also set a more restrictive rateLimit for some routes?
For example:
const globalLimit = rateLimit({
windowMs: 60 * 60 * 1000, // 1 HOUR
max: 500 // MAX 500 REQUESTS
});
const apiLimit = rateLimit({
windowMs: 60 * 60 * 1000, // 1 HOUR
max: 100 // MAX 100 REQUESTS
});
const someRouteLimit = rateLimit({
windowMs: 60 * 60 * 1000, // 1 HOUR
max: 10 // MAX 10 REQUESTS
});
app.use("/", globalLimit); // ALL ROUTES WILL BE LIMITED BY THE globalLimit
app.use("/api", apiLimit); // API ROUTES WILL BE LIMITED BY THE apiLimit
app.get("/some-route", someRouteLimit, routeHandler); // THIS ROUTE WILL BE LIMITED BY THE someRouteLimit
Will it work the way I intend? Is this normal use of the express-rate-limit package or is this an anti-pattern?
1 answers
solution1
1 ACCPTED 2021-01-12 12:17:45
express-rate-limit is quite a popular package. So I don't think it is an anti-pattern.
Middleware can be chained.
For example, you want to impose both someRouteLimit and apiLimit on /some-route
app.get("/some-route",apiLimit,someRouteLimit,routeHandler)
The middleware is executed in order so you want to put the more restrictive one after the laxer one.
Express middleware hierarchy:
- Application-level middleware
- Router-level middleware
app.use("/", globalLimit) is an application-level middleware so it will be executed first before all other middleware but before/after other application-level middleware depending on the order of which they are called.
You can also group routes using routers and apply the rate limit middleware on specific routers.
In your app.js or index.js :
// Depedencies
const express = require('express')
const rateLimit = require('express-rate-limit')
// Initialize the app
const app = express()
const globalLimit = rateLimit({
windowMs: 60 * 60 * 1000, // 1 HOUR
max: 500 // MAX 500 REQUESTS
});
const apiLimit = rateLimit({
windowMs: 60 * 60 * 1000, // 1 HOUR
max: 100 // MAX 100 REQUESTS
});
// Load Routes
const routeOne = require('./routes/routeOne');
const routeTwo = require('./routes/routeTwo');
// Use routes
app.use('/', routeOne,apiLimit); // Impose apiLimit on this router
app.use('/', routeTwo); // No router-level middleware is applied
app.listen(portNumber)
In the routeOne: (restricted by both globalLimit and apiLimit )
const express = require('express');
const router = express.Router();
const rateLimit = require('express-rate-limit')
const someRouteLimit = rateLimit({
windowMs: 60 * 60 * 1000, // 1 HOUR
max: 10 // MAX 10 REQUESTS
});
// Some Route (further restricted by someRouteLimit)
router.post('/some-route',someRouteLimit, routeHandler);
module.exports = router;
In RouteTwo: (Restricted by globalLimit but not apiLimit )
const express = require('express');
const router = express.Router();
const rateLimit = require('express-rate-limit')
const someRouteLimit2 = rateLimit({
windowMs: 60 * 60 * 1000, // 1 HOUR
max: 10 // MAX 10 REQUESTS
});
// Some Route (further restricted by someRouteLimit2)
router.post('/some-route2',someRouteLimit, routeHandler);
module.exports = router;
If you want to implement your middleware in a more customized manner, there are some more creative methods using regex and custom helper function in this post .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.