add rate limiter on node server level

2026-02-06 09:56:05 +00:00 · 2024-01-22 14:11:40 +01:00 · 2024-01-22 14:11:40 +01:00 · 3e51511b2a
commit 3e51511b2a
parent 842008c871
9 changed files with 96 additions and 0 deletions
--- a/backend/package.json
+++ b/backend/package.json
@ -29,6 +29,7 @@
    "dotenv": "^10.0.0",
    "email-templates": "^10.0.1",
    "express": "^4.17.1",
+    "express-slow-down": "^2.0.1",
    "gradido-database": "file:../database",
    "graphql": "^15.5.1",
    "graphql-request": "5.0.0",
--- a/backend/src/server/createServer.ts
+++ b/backend/src/server/createServer.ts
@ -4,6 +4,7 @@
 import { Connection as DbConnection } from '@dbTools/typeorm'
 import { ApolloServer } from 'apollo-server-express'
 import express, { Express, json, urlencoded } from 'express'
+import { slowDown } from 'express-slow-down'
 import helmet from 'helmet'
 import { Logger } from 'log4js'

@ -61,6 +62,24 @@ export const createServer = async (
  // eslint-disable-next-line @typescript-eslint/no-unsafe-call
  app.use(helmet())

+  // rate limiter/ slow down to many requests
+  const limiter = slowDown({
+    windowMs: 1000, // 1 second
+    delayAfter: 10, // Allow 10 requests per 1 second.
+    delayMs: (hits) => hits * 50, // Add 100 ms of delay to every request after the 10th one.
+    /**
+     * So:
+     *
+     * - requests 1-10 are not delayed.
+     * - request 11 is delayed by 550ms
+     * - request 12 is delayed by 600ms
+     * - request 13 is delayed by 650ms
+     *
+     * and so on. After 1 seconds, the delay is reset to 0.
+     */
+  })
+  app.use(limiter)
+
  // bodyparser json
  app.use(json())
  // bodyparser urlencoded for elopage
--- a/backend/yarn.lock
+++ b/backend/yarn.lock
@ -3225,6 +3225,18 @@ expect@^27.2.5:
    jest-message-util "^27.2.5"
    jest-regex-util "^27.0.6"

+express-rate-limit@7:
+  version "7.1.5"
+  resolved "https://registry.yarnpkg.com/express-rate-limit/-/express-rate-limit-7.1.5.tgz#af4c81143a945ea97f2599d13957440a0ddbfcfe"
+  integrity sha512-/iVogxu7ueadrepw1bS0X0kaRC/U0afwiYRSLg68Ts+p4Dc85Q5QKsOnPS/QUjPMHvOJQtBDrZgvkOzf8ejUYw==
+
+express-slow-down@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/express-slow-down/-/express-slow-down-2.0.1.tgz#60c4515467314675d89c54ec608e2d586aa30f87"
+  integrity sha512-zRogSZhNXJYKDBekhgFfFXGrOngH7Fub7Mx2g8OQ4RUBwSJP/3TVEKMgSGR/WlneT0mJ6NBUnidHhIELGVPe3w==
+  dependencies:
+    express-rate-limit "7"
+
 express@^4.17.1:
  version "4.17.1"
  resolved "https://registry.yarnpkg.com/express/-/express-4.17.1.tgz#4491fc38605cf51f8629d39c2b5d026f98a4c134"
--- a/dlt-connector/package.json
+++ b/dlt-connector/package.json
@ -29,6 +29,7 @@
    "dlt-database": "file:../dlt-database",
    "dotenv": "10.0.0",
    "express": "4.17.1",
+    "express-slow-down": "^2.0.1",
    "graphql": "^16.7.1",
    "graphql-scalars": "^1.22.2",
    "helmet": "^7.1.0",
--- a/dlt-connector/src/server/createServer.ts
+++ b/dlt-connector/src/server/createServer.ts
@ -6,6 +6,7 @@ import bodyParser from 'body-parser'
 import cors from 'cors'
 import express, { Express } from 'express'
 // graphql
+import { slowDown } from 'express-slow-down'
 import helmet from 'helmet'
 import { Logger } from 'log4js'

@ -44,6 +45,24 @@ const createServer = async (
  // Helmet helps secure Express apps by setting HTTP response headers.
  app.use(helmet())

+  // rate limiter/ slow down to many requests
+  const limiter = slowDown({
+    windowMs: 1000, // 1 second
+    delayAfter: 10, // Allow 10 requests per 1 second.
+    delayMs: (hits) => hits * 50, // Add 100 ms of delay to every request after the 10th one.
+    /**
+     * So:
+     *
+     * - requests 1-10 are not delayed.
+     * - request 11 is delayed by 550ms
+     * - request 12 is delayed by 600ms
+     * - request 13 is delayed by 650ms
+     *
+     * and so on. After 1 seconds, the delay is reset to 0.
+     */
+  })
+  app.use(limiter)
+
  await apollo.start()
  app.use(
    '/',
--- a/dlt-connector/yarn.lock
+++ b/dlt-connector/yarn.lock
@ -2833,6 +2833,18 @@ expect@^27.5.1:
    jest-matcher-utils "^27.5.1"
    jest-message-util "^27.5.1"

+express-rate-limit@7:
+  version "7.1.5"
+  resolved "https://registry.yarnpkg.com/express-rate-limit/-/express-rate-limit-7.1.5.tgz#af4c81143a945ea97f2599d13957440a0ddbfcfe"
+  integrity sha512-/iVogxu7ueadrepw1bS0X0kaRC/U0afwiYRSLg68Ts+p4Dc85Q5QKsOnPS/QUjPMHvOJQtBDrZgvkOzf8ejUYw==
+
+express-slow-down@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/express-slow-down/-/express-slow-down-2.0.1.tgz#60c4515467314675d89c54ec608e2d586aa30f87"
+  integrity sha512-zRogSZhNXJYKDBekhgFfFXGrOngH7Fub7Mx2g8OQ4RUBwSJP/3TVEKMgSGR/WlneT0mJ6NBUnidHhIELGVPe3w==
+  dependencies:
+    express-rate-limit "7"
+
 express@4.17.1:
  version "4.17.1"
  resolved "https://registry.yarnpkg.com/express/-/express-4.17.1.tgz#4491fc38605cf51f8629d39c2b5d026f98a4c134"
--- a/federation/package.json
+++ b/federation/package.json
@ -24,6 +24,7 @@
    "decimal.js-light": "^2.5.1",
    "dotenv": "10.0.0",
    "express": "4.17.1",
+    "express-slow-down": "^2.0.1",
    "graphql": "15.5.1",
    "graphql-request": "5.0.0",
    "helmet": "^7.1.0",
--- a/federation/src/server/createServer.ts
+++ b/federation/src/server/createServer.ts
@ -25,6 +25,7 @@ import { Connection } from '@dbTools/typeorm'
 import { apolloLogger } from './logger'
 import { Logger } from 'log4js'
 import helmet from 'helmet'
+import { slowDown } from 'express-slow-down'

 // i18n
 // import { i18n } from './localization'
@ -66,6 +67,24 @@ export const createServer = async (
  // Helmet helps secure Express apps by setting HTTP response headers.
  app.use(helmet())

+  // rate limiter/ slow down to many requests
+  const limiter = slowDown({
+    windowMs: 1000, // 1 second
+    delayAfter: 10, // Allow 10 requests per 1 second.
+    delayMs: (hits) => hits * 50, // Add 100 ms of delay to every request after the 10th one.
+    /**
+     * So:
+     *
+     * - requests 1-10 are not delayed.
+     * - request 11 is delayed by 550ms
+     * - request 12 is delayed by 600ms
+     * - request 13 is delayed by 650ms
+     *
+     * and so on. After 1 seconds, the delay is reset to 0.
+     */
+  })
+  app.use(limiter)
+
  // bodyparser json
  app.use(express.json())
  // bodyparser urlencoded for elopage
--- a/federation/yarn.lock
+++ b/federation/yarn.lock
@ -2624,6 +2624,18 @@ expect@^27.5.1:
    jest-matcher-utils "^27.5.1"
    jest-message-util "^27.5.1"

+express-rate-limit@7:
+  version "7.1.5"
+  resolved "https://registry.yarnpkg.com/express-rate-limit/-/express-rate-limit-7.1.5.tgz#af4c81143a945ea97f2599d13957440a0ddbfcfe"
+  integrity sha512-/iVogxu7ueadrepw1bS0X0kaRC/U0afwiYRSLg68Ts+p4Dc85Q5QKsOnPS/QUjPMHvOJQtBDrZgvkOzf8ejUYw==
+
+express-slow-down@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/express-slow-down/-/express-slow-down-2.0.1.tgz#60c4515467314675d89c54ec608e2d586aa30f87"
+  integrity sha512-zRogSZhNXJYKDBekhgFfFXGrOngH7Fub7Mx2g8OQ4RUBwSJP/3TVEKMgSGR/WlneT0mJ6NBUnidHhIELGVPe3w==
+  dependencies:
+    express-rate-limit "7"
+
 express@4.17.1:
  version "4.17.1"
  resolved "https://registry.yarnpkg.com/express/-/express-4.17.1.tgz#4491fc38605cf51f8629d39c2b5d026f98a4c134"