@upstash/ratelimit 0.1.0-alpha.0 → 0.1.2

package/README.md

@@ -5,7 +5,6 @@ An HTTP/REST based Redis client built on top of Upstash REST API.
 
 [![Tests](https://github.com/upstash/ratelimit/actions/workflows/tests.yaml/badge.svg)](https://github.com/upstash/ratelimit/actions/workflows/tests.yaml)
 ![npm (scoped)](https://img.shields.io/npm/v/@upstash/ratelimit)
-![npm bundle size](https://img.shields.io/bundlephobia/minzip/@upstash/ratelimit)
 
 It is the only connectionless (HTTP based) ratelimiter and designed for:
 
@@ -17,6 +16,38 @@ It is the only connectionless (HTTP based) ratelimiter and designed for:
 - WebAssembly
 - and other environments where HTTP is preferred over TCP.
 
+<!-- toc -->
+
+- [Quick Start](#quick-start)
+  - [Install](#install)
+    - [npm](#npm)
+    - [Deno](#deno)
+  - [Create database](#create-database)
+  - [Use it](#use-it)
+  - [Block until ready](#block-until-ready)
+- [Globally replicated ratelimiting](#globally-replicated-ratelimiting)
+  - [Usage](#usage)
+  - [Example](#example)
+- [Ratelimiting algorithms](#ratelimiting-algorithms)
+  - [Fixed Window](#fixed-window)
+    - [Pros:](#pros)
+    - [Cons:](#cons)
+    - [Usage:](#usage)
+  - [Sliding Window](#sliding-window)
+    - [Pros:](#pros-1)
+    - [Cons:](#cons-1)
+    - [Usage:](#usage-1)
+  - [Token Bucket](#token-bucket)
+    - [Pros:](#pros-2)
+    - [Cons:](#cons-2)
+    - [Usage:](#usage-2)
+- [Contributing](#contributing)
+  - [Install Deno](#install-deno)
+  - [Database](#database)
+  - [Running tests](#running-tests)
+
+<!-- tocstop -->
+
 ## Quick Start
 
 ### Install
@@ -30,7 +61,7 @@ npm install @upstash/ratelimit
 #### Deno
 
 ```ts
-import { Redis } from "https://deno.land/x/upstash_ratelimit/mod.ts";
+import { Ratelimit } from "https://deno.land/x/upstash_ratelimit/mod.ts";
 ```
 
 ### Create database
@@ -96,7 +127,10 @@ export type RatelimitResponse = {
 
 In case you don't want to reject a request immediately but wait until it can be
 processed, we also provide
-`ratelimit.blockUntilReady(identifier: stirng, timeout: number): Promise<RatelimitResponse>`
+
+```ts
+ratelimit.blockUntilReady(identifier: string, timeout: number): Promise<RatelimitResponse>
+```
 
 It is very similar to the `limit` method and takes an identifier and returns the
 same response. However if the current limit has already been exceeded, it will
@@ -121,6 +155,51 @@ doExpensiveCalculation();
 return "Here you go!";
 ```
 
+## Globally replicated ratelimiting
+
+Using a single redis instance has the downside of providing low latencies to the
+part of your userbase closest to the deployed db. That's why we also built
+`GlobalRatelimit` which replicates the state across multiple redis databases as
+well as offering lower latencies to more of your users.
+
+`GlobalRatelimit` does this by checking the current limit in the closest db and
+returning immediately. Only afterwards will the state be asynchronously
+replicated to the other datbases leveraging
+[CRDTs](https://en.wikipedia.org/wiki/Conflict-free_replicated_data_type). Due
+to the nature of distributed systems, there is no way to guarantee the set
+ratelimit is not exceeded by a small margin. This is the tradeoff for reduced
+global latency.
+
+### Usage
+
+The api is the same, except for asking for multiple redis instances:
+
+```ts
+import { GlobalRatelimit } from "@upstash/ratelimit"; // for deno: see above
+import { Redis } from "@upstash/redis";
+
+// Create a new ratelimiter, that allows 10 requests per 10 seconds
+const ratelimit = new GlobalRatelimit({
+  redis: [
+    new Redis({/* auth */}),
+    new Redis({/* auth */}),
+    new Redis({/* auth */}),
+  ],
+  limiter: Ratelimit.slidingWindow(10, "10 s"),
+});
+
+// Use a constant string to limit all requests with a single ratelimit
+// Or use a userID, apiKey or ip address for individual limits.
+const identifier = "api";
+const { success } = await ratelimit.limit(identifier);
+```
+
+### Example
+
+Let's assume you have customers in the US and Europe. In this case you can
+create 2 regional redis databases on [Upastash](https://console.upstash.com) and
+your users will enjoy the latency of whichever db is closest to them.
+
 ## Ratelimiting algorithms
 
 We provide different algorithms to use out of the box. Each has pros and cons.
@@ -158,7 +237,7 @@ const ratelimit = new Ratelimit({
 
 Builds on top of fixed window but instead of a fixed window, we use a rolling
 window. Take this example: We have a rate limit of 10 requests per 1 minute. We
-dividie time into 1 minute slices, just like in the fixed window algorithm.
+divide time into 1 minute slices, just like in the fixed window algorithm.
 Window 1 will be from 00:00:00 to 00:01:00 (HH:MM:SS). Let's assume it is
 currently 00:01:15 and we have received 4 requests in the first window and 5
 requests so far in the current window. The approximation to determine if the
@@ -196,6 +275,8 @@ const ratelimit = new Ratelimit({
 
 ### Token Bucket
 
+_Not yet supported for `GlobalRatelimit`_
+
 Consider a bucket filled with `{maxTokens}` tokens that refills constantly at
 `{refillRate}` per `{interval}`. Every request will remove one token from the
 bucket and if there is no token to take, the request is rejected.

package/esm/global.js

@@ -0,0 +1,228 @@
+import { ms } from "./duration.js";
+import { Ratelimit } from "./ratelimit.js";
+/**
+ * Ratelimiter using serverless redis from https://upstash.com/
+ *
+ * @example
+ * ```ts
+ * const { limit } = new GlobalRatelimit({
+ *    redis: Redis.fromEnv(),
+ *    limiter: GlobalRatelimit.fixedWindow(
+ *      10,     // Allow 10 requests per window of 30 minutes
+ *      "30 m", // interval of 30 minutes
+ *    )
+ * })
+ *
+ * ```
+ */
+export class GlobalRatelimit extends Ratelimit {
+    /**
+     * Create a new Ratelimit instance by providing a `@upstash/redis` instance and the algorithn of your choice.
+     */
+    constructor(config) {
+        super({
+            prefix: config.prefix,
+            limiter: config.limiter,
+            ctx: { redis: config.redis },
+        });
+    }
+    /**
+     * Each requests inside a fixed time increases a counter.
+     * Once the counter reaches a maxmimum allowed number, all further requests are
+     * rejected.
+     *
+     * **Pro:**
+     *
+     * - Newer requests are not starved by old ones.
+     * - Low storage cost.
+     *
+     * **Con:**
+     *
+     * A burst of requests near the boundary of a window can result in a very
+     * high request rate because two windows will be filled with requests quickly.
+     *
+     * @param tokens - How many requests a user can make in each time window.
+     * @param window - A fixed timeframe
+     */
+    static fixedWindow(
+    /**
+     * How many requests are allowed per window.
+     */
+    tokens, 
+    /**
+     * The duration in which `tokens` requests are allowed.
+     */
+    window) {
+        const windowDuration = ms(window);
+        const script = `
+    local key     = KEYS[1]
+    local id      = ARGV[1]
+    local window  = ARGV[2]
+    
+    redis.call("SADD", key, id)
+    local members = redis.call("SMEMBERS", key)
+    if #members == 1 then
+    -- The first time this key is set, the value will be 1.
+    -- So we only need the expire command once
+      redis.call("PEXPIRE", key, window)
+    end
+    
+    return members
+`;
+        return async function (ctx, identifier) {
+            const requestID = crypto.randomUUID();
+            const bucket = Math.floor(Date.now() / windowDuration);
+            const key = [identifier, bucket].join(":");
+            const dbs = ctx.redis.map((redis) => ({
+                redis,
+                request: redis.eval(script, [key], [requestID, windowDuration]),
+            }));
+            const firstResponse = await Promise.any(dbs.map((s) => s.request));
+            const usedTokens = firstResponse.length;
+            const remaining = tokens - usedTokens - 1;
+            /**
+             * If the length between two databases does not match, we sync the two databases
+             */
+            async function sync() {
+                const individualIDs = await Promise.all(dbs.map((s) => s.request));
+                const allIDs = Array.from(new Set(individualIDs.flatMap((_) => _)).values());
+                for (const db of dbs) {
+                    const ids = await db.request;
+                    /**
+                     * If the bucket in this db is already full, it doesn't matter which ids it contains.
+                     * So we do not have to sync.
+                     */
+                    if (ids.length >= tokens) {
+                        continue;
+                    }
+                    const diff = allIDs.filter((id) => !ids.includes(id));
+                    /**
+                     * Don't waste a request if there is nothing to send
+                     */
+                    if (diff.length === 0) {
+                        continue;
+                    }
+                    await db.redis.sadd(key, ...allIDs);
+                }
+            }
+            /**
+             * Do not await sync. This should not run in the critical path.
+             */
+            sync();
+            return {
+                success: remaining > 0,
+                limit: tokens,
+                remaining,
+                reset: (bucket + 1) * windowDuration,
+            };
+        };
+    }
+    /**
+     * Combined approach of `slidingLogs` and `fixedWindow` with lower storage
+     * costs than `slidingLogs` and improved boundary behavior by calcualting a
+     * weighted score between two windows.
+     *
+     * **Pro:**
+     *
+     * Good performance allows this to scale to very high loads.
+     *
+     * **Con:**
+     *
+     * Nothing major.
+     *
+     * @param tokens - How many requests a user can make in each time window.
+     * @param window - The duration in which the user can max X requests.
+     */
+    static slidingWindow(
+    /**
+     * How many requests are allowed per window.
+     */
+    tokens, 
+    /**
+     * The duration in which `tokens` requests are allowed.
+     */
+    window) {
+        const windowSize = ms(window);
+        const script = `
+      local currentKey  = KEYS[1]           -- identifier including prefixes
+      local previousKey = KEYS[2]           -- key of the previous bucket
+      local tokens      = tonumber(ARGV[1]) -- tokens per window
+      local now         = ARGV[2]           -- current timestamp in milliseconds
+      local window      = ARGV[3]           -- interval in milliseconds
+      local requestID   = ARGV[4]           -- uuid for this request
+
+
+      local currentMembers = redis.call("SMEMBERS", currentKey)
+      local requestsInCurrentWindow = #currentMembers
+      local previousMembers = redis.call("SMEMBERS", previousKey)
+      local requestsInPreviousWindow = #previousMembers
+
+      local percentageInCurrent = ( now % window) / window
+      if requestsInPreviousWindow * ( 1 - percentageInCurrent ) + requestsInCurrentWindow >= tokens then
+        return {currentMembers, previousMembers}
+      end
+
+      redis.call("SADD", currentKey, requestID)
+      table.insert(currentMembers, requestID)
+      if requestsInCurrentWindow == 0 then 
+        -- The first time this key is set, the value will be 1.
+        -- So we only need the expire command once
+        redis.call("PEXPIRE", currentKey, window * 2 + 1000) -- Enough time to overlap with a new window + 1 second
+      end
+      return {currentMembers, previousMembers}
+      `;
+        const windowDuration = ms(window);
+        return async function (ctx, identifier) {
+            const requestID = crypto.randomUUID();
+            const now = Date.now();
+            const currentWindow = Math.floor(now / windowSize);
+            const currentKey = [identifier, currentWindow].join(":");
+            const previousWindow = currentWindow - windowSize;
+            const previousKey = [identifier, previousWindow].join(":");
+            const dbs = ctx.redis.map((redis) => ({
+                redis,
+                request: redis.eval(script, [currentKey, previousKey], [tokens, now, windowDuration, requestID]),
+            }));
+            const percentageInCurrent = (now % windowDuration) / windowDuration;
+            const [current, previous] = await Promise.any(dbs.map((s) => s.request));
+            const usedTokens = previous.length * (1 - percentageInCurrent) +
+                current.length;
+            const remaining = tokens - usedTokens;
+            /**
+             * If a database differs from the consensus, we sync it
+             */
+            async function sync() {
+                const [individualIDs] = await Promise.all(dbs.map((s) => s.request));
+                const allIDs = Array.from(new Set(individualIDs.flatMap((_) => _)).values());
+                for (const db of dbs) {
+                    const [ids] = await db.request;
+                    /**
+                     * If the bucket in this db is already full, it doesn't matter which ids it contains.
+                     * So we do not have to sync.
+                     */
+                    if (ids.length >= tokens) {
+                        continue;
+                    }
+                    const diff = allIDs.filter((id) => !ids.includes(id));
+                    /**
+                     * Don't waste a request if there is nothing to send
+                     */
+                    if (diff.length === 0) {
+                        continue;
+                    }
+                    await db.redis.sadd(currentKey, ...allIDs);
+                }
+            }
+            /**
+             * Do not await sync. This should not run in the critical path.
+             */
+            sync();
+            return {
+                success: remaining > 0,
+                limit: tokens,
+                remaining,
+                reset: (currentWindow + 1) * windowDuration,
+            };
+        };
+    }
+}

package/esm/mod.js

@@ -1,2 +1,2 @@
-export * from "./ratelimiter.js";
-export * from "./types.js";
+export { RegionRatelimit as Ratelimit } from "./region.js";
+export { GlobalRatelimit } from "./global.js";

package/esm/ratelimit.js

@@ -0,0 +1,129 @@
+/**
+ * Ratelimiter using serverless redis from https://upstash.com/
+ *
+ * @example
+ * ```ts
+ * const { limit } = new Ratelimit({
+ *    redis: Redis.fromEnv(),
+ *    limiter: Ratelimit.slidingWindow(
+ *      10,     // Allow 10 requests per window of 30 minutes
+ *      "30 m", // interval of 30 minutes
+ *    )
+ * })
+ *
+ * ```
+ */
+export class Ratelimit {
+    constructor(config) {
+        Object.defineProperty(this, "limiter", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "ctx", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "prefix", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        /**
+         * Determine if a request should pass or be rejected based on the identifier and previously chosen ratelimit.
+         *
+         * Use this if you want to reject all requests that you can not handle right now.
+         *
+         * @example
+         * ```ts
+         *  const ratelimit = new Ratelimit({
+         *    redis: Redis.fromEnv(),
+         *    limiter: Ratelimit.slidingWindow(10, "10 s")
+         *  })
+         *
+         *  const { success } = await ratelimit.limit(id)
+         *  if (!success){
+         *    return "Nope"
+         *  }
+         *  return "Yes"
+         * ```
+         */
+        Object.defineProperty(this, "limit", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: async (identifier) => {
+                const key = [this.prefix, identifier].join(":");
+                return await this.limiter(this.ctx, key);
+            }
+        });
+        /**
+         * Block until the request may pass or timeout is reached.
+         *
+         * This method returns a promsie that resolves as soon as the request may be processed
+         * or after the timeoue has been reached.
+         *
+         * Use this if you want to delay the request until it is ready to get processed.
+         *
+         * @example
+         * ```ts
+         *  const ratelimit = new Ratelimit({
+         *    redis: Redis.fromEnv(),
+         *    limiter: Ratelimit.slidingWindow(10, "10 s")
+         *  })
+         *
+         *  const { success } = await ratelimit.blockUntilReady(id, 60_000)
+         *  if (!success){
+         *    return "Nope"
+         *  }
+         *  return "Yes"
+         * ```
+         */
+        Object.defineProperty(this, "blockUntilReady", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: async (
+            /**
+             * An identifier per user or api.
+             * Choose a userID, or api token, or ip address.
+             *
+             * If you want to globally limit your api, you can set a constant string.
+             */
+            identifier, 
+            /**
+             * Maximum duration to wait in milliseconds.
+             * After this time the request will be denied.
+             */
+            timeout) => {
+                if (timeout <= 0) {
+                    throw new Error("timeout must be positive");
+                }
+                let res;
+                const deadline = Date.now() + timeout;
+                while (true) {
+                    res = await this.limit(identifier);
+                    if (res.success) {
+                        break;
+                    }
+                    if (res.reset === 0) {
+                        throw new Error("This should not happen");
+                    }
+                    const wait = Math.min(res.reset, deadline) - Date.now();
+                    await new Promise((r) => setTimeout(r, wait));
+                    if (Date.now() > deadline) {
+                        break;
+                    }
+                }
+                return res;
+            }
+        });
+        this.ctx = config.ctx;
+        this.limiter = config.limiter;
+        this.prefix = config.prefix ?? "@upstash/ratelimit";
+    }
+}

package/esm/{ratelimiter.js → region.js}

@@ -1,4 +1,5 @@
 import { ms } from "./duration.js";
+import { Ratelimit } from "./ratelimit.js";
 /**
  * Ratelimiter using serverless redis from https://upstash.com/
  *
@@ -14,121 +15,16 @@ import { ms } from "./duration.js";
  *
  * ```
  */
-export class Ratelimit {
+export class RegionRatelimit extends Ratelimit {
     /**
      * Create a new Ratelimit instance by providing a `@upstash/redis` instance and the algorithn of your choice.
      */
     constructor(config) {
-        Object.defineProperty(this, "redis", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: void 0
+        super({
+            prefix: config.prefix,
+            limiter: config.limiter,
+            ctx: { redis: config.redis },
         });
-        Object.defineProperty(this, "limiter", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: void 0
-        });
-        Object.defineProperty(this, "prefix", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: void 0
-        });
-        /**
-         * Determine if a request should pass or be rejected based on the identifier and previously chosen ratelimit.
-         *
-         * Use this if you want to reject all requests that you can not handle right now.
-         *
-         * @example
-         * ```ts
-         *  const ratelimit = new Ratelimit({
-         *    redis: Redis.fromEnv(),
-         *    limiter: Ratelimit.slidingWindow(10, "10 s")
-         *  })
-         *
-         *  const { success } = await ratelimit.limit(id)
-         *  if (!success){
-         *    return "Nope"
-         *  }
-         *  return "Yes"
-         * ```
-         */
-        Object.defineProperty(this, "limit", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: async (identifier) => {
-                const key = [this.prefix, identifier].join(":");
-                return await this.limiter({ redis: this.redis }, key);
-            }
-        });
-        /**
-         * Block until the request may pass or timeout is reached.
-         *
-         * This method returns a promsie that resolves as soon as the request may be processed
-         * or after the timeoue has been reached.
-         *
-         * Use this if you want to delay the request until it is ready to get processed.
-         *
-         * @example
-         * ```ts
-         *  const ratelimit = new Ratelimit({
-         *    redis: Redis.fromEnv(),
-         *    limiter: Ratelimit.slidingWindow(10, "10 s")
-         *  })
-         *
-         *  const { success } = await ratelimit.blockUntilReady(id, 60_000)
-         *  if (!success){
-         *    return "Nope"
-         *  }
-         *  return "Yes"
-         * ```
-         */
-        Object.defineProperty(this, "blockUntilReady", {
-            enumerable: true,
-            configurable: true,
-            writable: true,
-            value: async (
-            /**
-             * An identifier per user or api.
-             * Choose a userID, or api token, or ip address.
-             *
-             * If you want to globally limit your api, you can set a constant string.
-             */
-            identifier, 
-            /**
-             * Maximum duration to wait in milliseconds.
-             * After this time the request will be denied.
-             */
-            timeout) => {
-                if (timeout <= 0) {
-                    throw new Error("timeout must be positive");
-                }
-                let res;
-                const deadline = Date.now() + timeout;
-                while (true) {
-                    res = await this.limit(identifier);
-                    if (res.success) {
-                        break;
-                    }
-                    if (res.reset === 0) {
-                        throw new Error("This should not happen");
-                    }
-                    const wait = Math.min(res.reset, deadline) - Date.now();
-                    await new Promise((r) => setTimeout(r, wait));
-                    if (Date.now() > deadline) {
-                        break;
-                    }
-                }
-                return res;
-            }
-        });
-        this.redis = config.redis;
-        this.limiter = config.limiter;
-        this.prefix = config.prefix ?? "@upstash/ratelimit";
     }
     /**
      * Each requests inside a fixed time increases a counter.
@@ -183,54 +79,6 @@ export class Ratelimit {
             };
         };
     }
-    // /**
-    //  * For each request all past requests in the last `{window}` are summed up and
-    //  * if they exceed `{tokens}`, the request will be rejected.
-    //  *
-    //  * **Pro:**
-    //  *
-    //  * Does not have the problem of `fixedWindow` at the window boundaries.
-    //  *
-    //  * **Con:**
-    //  *
-    //  * More expensive to store and compute, which makes this unsuitable for apis
-    //  * with very high traffic.
-    //  *
-    //  * @param window - The duration in which the user can max X requests.
-    //  * @param tokens - How many requests a user can make in each time window.
-    //  */
-    // static slidingLogs(window: Duration, tokens: number): Ratelimiter {
-    //   const script = `
-    //   local key         = KEYS[1] -- identifier including prefixes
-    //   local windowStart = ARGV[1] -- timestamp of window start
-    //   local windowEnd   = ARGV[2] -- timestamp of window end
-    //   local tokens      = ARGV[3] -- tokens per window
-    //   local now         = ARGV[4] -- current timestamp
-    //   local count = redis.call("ZCOUNT", key, windowStart, windowEnd)
-    //   if count < tonumber(tokens) then
-    //     -- Log the current request
-    //     redis.call("ZADD", key, now, now)
-    //     -- Remove all previous requests that are outside the window
-    //     redis.call("ZREMRANGEBYSCORE", key, "-inf", windowStart - 1)
-    //   end
-    //   return count
-    //   `;
-    //   return async function (ctx: Context, identifier: string) {
-    //     const windowEnd = Date.now();
-    //     const windowStart = windowEnd - ms(window);
-    //     const count = (await ctx.redis.eval(
-    //       script,
-    //       [identifier],
-    //       [windowStart, windowEnd, tokens, Date.now()]
-    //     )) as number;
-    //     return {
-    //       success: count < tokens,
-    //       limit: tokens,
-    //       remaining: Math.max(0, tokens - count - 1),
-    //       reset: windowEnd,
-    //     };
-    //   };
-    // }
     /**
      * Combined approach of `slidingLogs` and `fixedWindow` with lower storage
      * costs than `slidingLogs` and improved boundary behavior by calcualting a