Add rate limiter for api request (#454)

* Add rate limiter for api request * apply rate limit on Demo/Prod
2022-04-21 09:41:33 +08:00
parent 0b51727c4b
commit 83cdec42f7
3 changed files with 5262 additions and 202 deletions
--- a/packages/api/package.json
+++ b/packages/api/package.json
@ -49,6 +49,7 @@
    "dot-case": "^3.0.4",
    "dotenv": "^8.2.0",
    "express": "^4.17.1",
+    "express-rate-limit": "^6.3.0",
    "firebase-admin": "^10.0.2",
    "googleapis": "^100.0.0",
    "graphql": "^15.3.0",
@ -85,9 +86,6 @@
  "devDependencies": {
    "@babel/register": "^7.14.5",
    "@istanbuljs/nyc-config-typescript": "^1.0.2",
-    "@types/highlightjs": "^9.12.2",
-    "@types/nanoid": "^3.0.0",
-    "@types/private-ip": "^1.0.0",
    "@types/analytics-node": "^3.1.7",
    "@types/bcryptjs": "^2.4.2",
    "@types/chai": "^4.2.18",
@ -96,13 +94,16 @@
    "@types/cookie-parser": "^1.4.2",
    "@types/dompurify": "^2.0.4",
    "@types/express": "^4.17.7",
+    "@types/highlightjs": "^9.12.2",
    "@types/intercom-client": "^2.11.8",
    "@types/jsdom": "^16.2.3",
    "@types/jsonwebtoken": "^8.5.0",
    "@types/luxon": "^1.25.0",
    "@types/mocha": "^8.2.2",
+    "@types/nanoid": "^3.0.0",
    "@types/nodemailer": "^6.4.4",
    "@types/oauth": "^0.9.1",
+    "@types/private-ip": "^1.0.0",
    "@types/sanitize-html": "^1.27.1",
    "@types/supertest": "^2.0.11",
    "@types/urlsafe-base64": "^1.0.28",
--- a/packages/api/src/server.ts
+++ b/packages/api/src/server.ts
@ -41,6 +41,7 @@ import { pdfAttachmentsRouter } from './routers/svc/pdf_attachments'
 import { corsConfig } from './utils/corsConfig'
 import { initElasticsearch } from './elastic'
 import { uploadServiceRouter } from './routers/svc/upload'
+import rateLimit from 'express-rate-limit'

 const PORT = process.env.PORT || 4000

@ -88,6 +89,17 @@ export const createApp = (): {
  app.use(json({ limit: '100mb' }))
  app.use(urlencoded({ limit: '100mb', extended: true }))

+  if (!env.dev.isLocal) {
+    const apiLimiter = rateLimit({
+      windowMs: 60 * 1000, // 1 minute
+      max: 10, // Limit each IP to 10 requests per `window` (here, per minute)
+      standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+      legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+    })
+    // Apply the rate limiting middleware to API calls only
+    app.use('/api/', apiLimiter)
+  }
+
  // respond healthy to auto-scaler.
  app.get('/_ah/health', (req, res) => res.sendStatus(200))

--- a/yarn.lock
+++ b/yarn.lock