express-rate-limit 6.0.0 → 6.0.4

package/dist/index.mjs

@@ -0,0 +1,198 @@
+// source/memory-store.ts
+var calculateNextResetTime = (windowMs) => {
+  const resetTime = new Date();
+  resetTime.setMilliseconds(resetTime.getMilliseconds() + windowMs);
+  return resetTime;
+};
+var MemoryStore = class {
+  init(options) {
+    this.windowMs = options.windowMs;
+    this.resetTime = calculateNextResetTime(this.windowMs);
+    this.hits = {};
+    const interval = setInterval(async () => {
+      await this.resetAll();
+    }, this.windowMs);
+    if (interval.unref) {
+      interval.unref();
+    }
+  }
+  async increment(key) {
+    const totalHits = (this.hits[key] ?? 0) + 1;
+    this.hits[key] = totalHits;
+    return {
+      totalHits,
+      resetTime: this.resetTime
+    };
+  }
+  async decrement(key) {
+    const current = this.hits[key];
+    if (current) {
+      this.hits[key] = current - 1;
+    }
+  }
+  async resetKey(key) {
+    delete this.hits[key];
+  }
+  async resetAll() {
+    this.hits = {};
+    this.resetTime = calculateNextResetTime(this.windowMs);
+  }
+};
+
+// source/lib.ts
+var isLegacyStore = (store) => typeof store.incr === "function" && typeof store.increment !== "function";
+var promisifyStore = (passedStore) => {
+  if (!isLegacyStore(passedStore)) {
+    return passedStore;
+  }
+  const legacyStore = passedStore;
+  class PromisifiedStore {
+    async increment(key) {
+      return new Promise((resolve, reject) => {
+        legacyStore.incr(key, (error, totalHits, resetTime) => {
+          if (error)
+            reject(error);
+          resolve({ totalHits, resetTime });
+        });
+      });
+    }
+    async decrement(key) {
+      return Promise.resolve(legacyStore.decrement(key));
+    }
+    async resetKey(key) {
+      return Promise.resolve(legacyStore.resetKey(key));
+    }
+    async resetAll() {
+      if (typeof legacyStore.resetAll === "function")
+        return Promise.resolve(legacyStore.resetAll());
+    }
+  }
+  return new PromisifiedStore();
+};
+var parseOptions = (passedOptions) => {
+  const options = {
+    windowMs: 60 * 1e3,
+    store: new MemoryStore(),
+    max: 5,
+    message: "Too many requests, please try again later.",
+    statusCode: 429,
+    legacyHeaders: passedOptions.headers ?? true,
+    standardHeaders: passedOptions.draft_polli_ratelimit_headers ?? false,
+    requestPropertyName: "rateLimit",
+    skipFailedRequests: false,
+    skipSuccessfulRequests: false,
+    requestWasSuccessful: (_request, response) => response.statusCode < 400,
+    skip: (_request, _response) => false,
+    keyGenerator: (request, _response) => {
+      if (!request.ip) {
+        console.error("WARN | `express-rate-limit` | `request.ip` is undefined. You can avoid this by providing a custom `keyGenerator` function, but it may be indicative of a larger issue.");
+      }
+      return request.ip;
+    },
+    handler: (_request, response, _next, _optionsUsed) => {
+      response.status(options.statusCode).send(options.message);
+    },
+    onLimitReached: (_request, _response, _optionsUsed) => {
+    },
+    ...passedOptions
+  };
+  if (typeof options.store.incr !== "function" && typeof options.store.increment !== "function" || typeof options.store.decrement !== "function" || typeof options.store.resetKey !== "function" || typeof options.store.resetAll !== "undefined" && typeof options.store.resetAll !== "function" || typeof options.store.init !== "undefined" && typeof options.store.init !== "function") {
+    throw new TypeError("An invalid store was passed. Please ensure that the store is a class that implements the `Store` interface.");
+  }
+  options.store = promisifyStore(options.store);
+  return options;
+};
+var handleAsyncErrors = (fn) => async (request, response, next) => {
+  try {
+    await Promise.resolve(fn(request, response, next)).catch(next);
+  } catch (error) {
+    next(error);
+  }
+};
+var rateLimit = (passedOptions) => {
+  const options = parseOptions(passedOptions ?? {});
+  if (typeof options.store.init === "function")
+    options.store.init(options);
+  const middleware = handleAsyncErrors(async (request, response, next) => {
+    const skip = await options.skip(request, response);
+    if (skip) {
+      next();
+      return;
+    }
+    const augmentedRequest = request;
+    const key = await options.keyGenerator(request, response);
+    const { totalHits, resetTime } = await options.store.increment(key);
+    const retrieveQuota = typeof options.max === "function" ? options.max(request, response) : options.max;
+    const maxHits = await retrieveQuota;
+    augmentedRequest[options.requestPropertyName] = {
+      limit: maxHits,
+      current: totalHits,
+      remaining: Math.max(maxHits - totalHits, 0),
+      resetTime
+    };
+    if (options.legacyHeaders && !response.headersSent) {
+      response.setHeader("X-RateLimit-Limit", maxHits);
+      response.setHeader("X-RateLimit-Remaining", augmentedRequest[options.requestPropertyName].remaining);
+      if (resetTime instanceof Date) {
+        response.setHeader("Date", new Date().toUTCString());
+        response.setHeader("X-RateLimit-Reset", Math.ceil(resetTime.getTime() / 1e3));
+      }
+    }
+    if (options.standardHeaders && !response.headersSent) {
+      response.setHeader("RateLimit-Limit", maxHits);
+      response.setHeader("RateLimit-Remaining", augmentedRequest[options.requestPropertyName].remaining);
+      if (resetTime) {
+        const deltaSeconds = Math.ceil((resetTime.getTime() - Date.now()) / 1e3);
+        response.setHeader("RateLimit-Reset", Math.max(0, deltaSeconds));
+      }
+    }
+    if (options.skipFailedRequests || options.skipSuccessfulRequests) {
+      let decremented = false;
+      const decrementKey = async () => {
+        if (!decremented) {
+          await options.store.decrement(key);
+          decremented = true;
+        }
+      };
+      if (options.skipFailedRequests) {
+        response.on("finish", async () => {
+          if (!options.requestWasSuccessful(request, response))
+            await decrementKey();
+        });
+        response.on("close", async () => {
+          if (!response.writableEnded)
+            await decrementKey();
+        });
+        response.on("error", async () => {
+          await decrementKey();
+        });
+      }
+      if (options.skipSuccessfulRequests) {
+        response.on("finish", async () => {
+          if (options.requestWasSuccessful(request, response))
+            await decrementKey();
+        });
+      }
+    }
+    if (maxHits && totalHits === maxHits + 1) {
+      options.onLimitReached(request, response, options);
+    }
+    if (maxHits && totalHits > maxHits) {
+      if ((options.legacyHeaders || options.standardHeaders) && !response.headersSent) {
+        response.setHeader("Retry-After", Math.ceil(options.windowMs / 1e3));
+      }
+      options.handler(request, response, next, options);
+      return;
+    }
+    next();
+  });
+  middleware.resetKey = options.store.resetKey.bind(options.store);
+  return middleware;
+};
+var lib_default = rateLimit;
+
+// source/index.ts
+var source_default = lib_default;
+export {
+  source_default as default
+};

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "express-rate-limit",
-	"version": "6.0.0",
+	"version": "6.0.4",
 	"description": "Basic IP rate-limiting middleware for Express. Use to limit repeated requests to public APIs and/or endpoints such as password reset.",
 	"author": {
 		"name": "Nathan Friedly",
@@ -28,53 +28,43 @@
 		"attack"
 	],
 	"type": "module",
-	"module": "dist/esm/index.js",
-	"main": "dist/cjs/index.js",
 	"exports": {
 		".": {
-			"import": "./dist/esm/index.js",
-			"require": "./dist/cjs/index.js"
-		},
-		"./memory-store": {
-			"import": "./dist/esm/memory-store.js",
-			"require": "./dist/cjs/memory-store.js"
-		}
-	},
-	"typesVersions": {
-		"*": {
-			".": [
-				"./dist/esm/index.d.ts"
-			],
-			"./memory-store": [
-				"./dist/esm/memory-store.d.ts"
-			]
+			"import": "./dist/index.mjs",
+			"require": "./dist/index.cjs"
 		}
 	},
+	"main": "./dist/index.cjs",
+	"module": "./dist/index.mjs",
+	"types": "./dist/index.d.ts",
 	"files": [
 		"dist/",
 		"tsconfig.json",
 		"package.json",
-		"package-lock.json",
 		"readme.md",
 		"license.md",
 		"changelog.md"
 	],
 	"engines": {
-		"node": ">= 12.9.0"
+		"node": ">= 14.5.0"
 	},
 	"scripts": {
 		"clean": "del-cli dist/ coverage/ *.log *.tmp *.bak *.tgz",
-		"build:cjs": "tsc --project config/typescript/cjs.json",
-		"build:esm": "tsc --project config/typescript/esm.json",
-		"build": "run-p build:*",
-		"compile": "run-s clean build",
-		"lint": "xo",
-		"autofix": "xo --fix",
-		"test-lib": "cross-env TS_NODE_PROJECT=config/typescript/test.json NODE_OPTIONS=--experimental-vm-modules jest",
-		"test": "run-s compile lint test-lib",
-		"view-coverage": "npx serve coverage/lcov-report",
+		"build:cjs": "esbuild --bundle --format=cjs --outfile=dist/index.cjs --footer:js=\"module.exports = rateLimit;\" source/index.ts",
+		"build:esm": "esbuild --bundle --format=esm --outfile=dist/index.mjs source/index.ts",
+		"build:types": "dts-bundle-generator --out-file=dist/index.d.ts source/index.ts",
+		"compile": "run-s clean build:*",
+		"lint:code": "xo --ignore test/external/",
+		"lint:rest": "prettier --ignore-path .gitignore --ignore-unknown --check .",
+		"lint": "run-s lint:*",
+		"autofix:code": "xo --ignore test/external/ --fix",
+		"autofix:rest": "prettier --ignore-path .gitignore --ignore-unknown --write .",
+		"autofix": "run-s autofix:*",
+		"test:lib": "cross-env NODE_OPTIONS=--experimental-vm-modules jest",
+		"test:ext": "npm pack && cd test/external/ && bash run-all-tests",
+		"test": "run-s lint test:*",
 		"pre-commit": "lint-staged",
-		"prepare": "npm run compile && husky install config/husky"
+		"prepare": "run-s compile && husky install config/husky"
 	},
 	"peerDependencies": {
 		"express": "^4"
@@ -87,6 +77,8 @@
 		"@types/supertest": "^2.0.11",
 		"cross-env": "^7.0.3",
 		"del-cli": "^4.0.1",
+		"dts-bundle-generator": "^6.2.0",
+		"esbuild": "^0.14.8",
 		"express": "^4.17.1",
 		"husky": "^7.0.4",
 		"jest": "^27.4.3",
@@ -107,9 +99,7 @@
 			"@typescript-eslint/consistent-indexed-object-style": [
 				"error",
 				"index-signature"
-			],
-			"import/no-named-as-default-member": 0,
-			"import/no-cycle": 0
+			]
 		}
 	},
 	"prettier": {
@@ -134,7 +124,7 @@
 		],
 		"testTimeout": 30000,
 		"testMatch": [
-			"**/test/**/*-test.[jt]s?(x)"
+			"**/test/library/**/*-test.[jt]s?(x)"
 		],
 		"moduleFileExtensions": [
 			"js",
@@ -148,7 +138,7 @@
 		}
 	},
 	"lint-staged": {
-		"{source,test}/**/*.ts": "xo --fix",
-		"**/*.{json,yaml,md}": "prettier --write"
+		"{source,test}/**/*.ts": "xo --ignore test/external/ --fix",
+		"**/*.{json,yaml,md}": "prettier --ignore-path .gitignore --ignore-unknown --write "
 	}
 }

package/readme.md

@@ -12,11 +12,11 @@ public APIs and/or endpoints such as password reset. Plays nice with
 
 </div>
 
-### Alternate Rate-limiters
+### Alternate Rate Limiters
 
-> This module does not share state with other processes/servers by
-> default. If you need a more robust solution, I recommend using an external
-> store. See the [`stores` section](#store) below for a list of external stores.
+> This module does not share state with other processes/servers by default. If
+> you need a more robust solution, I recommend using an external store. See the
+> [`stores` section](#store) below for a list of external stores.
 
 This module was designed to only handle the basics and didn't even support
 external stores initially. These other options all are excellent pieces of
@@ -26,7 +26,7 @@ software and may be more appropriate for some situations:
 - [express-brute](https://www.npmjs.com/package/express-brute)
 - [rate-limiter](https://www.npmjs.com/package/express-limiter)
 
-## Install
+## Installation
 
 From the npm registry:
 
@@ -51,19 +51,64 @@ Replace `{version}` with the version of the package that you want to your, e.g.:
 
 ## Usage
 
-This library is provided in ESM as well as CJS forms. To import it in a CJS
-project:
+### Importing
+
+This library is provided in ESM as well as CJS forms, and works with both
+Javascript and Typescript projects.
+
+**This package requires you to use Node 14 or above.**
+
+#### Javascript
+
+Import it in a CommonJS project as follows:
 
 ```ts
 const rateLimit = require('express-rate-limit')
 ```
 
-To import it in a Typescript/ESM project:
+Import it in a ESM project as follows:
 
 ```ts
 import rateLimit from 'express-rate-limit'
 ```
 
+#### Typescript
+
+If you are using this library in a Typescript project that outputs CommonJS (no
+`type: module` in `package.json` and `module: commonjs` in `tsconfig.json`), set
+`esModuleInterop` to `true` in the `compilerOptions` of your `tsconfig.json` and
+then import it as follows:
+
+```ts
+import rateLimit from 'express-rate-limit'
+```
+
+If you cannot set `esModuleInterop` to true, import it as follows instead:
+
+```ts
+const rateLimit = require('express-rate-limit')
+```
+
+And use the following to import any types if you need to:
+
+```ts
+import { Store, IncrementResponse, ... } from 'express-rate-limit'
+```
+
+If you are using this library in a Typescript project that outputs ESM
+(`type: module` in `package.json` and `module: esnext` in `tsconfig.json`),
+import it as follows:
+
+```ts
+import rateLimit from 'express-rate-limit'
+```
+
+And use the following to import any types if you need to:
+
+```ts
+import rateLimit, { Store, IncrementResponse, ... } from 'express-rate-limit'
+```
+
 ### Examples
 
 To use it in an API-only server where the rate-limiter should be applied to all
@@ -72,10 +117,6 @@ requests:
 ```ts
 import rateLimit from 'express-rate-limit'
 
-// Enable if you're behind a reverse proxy (Heroku, Bluemix, AWS ELB, Nginx, etc)
-// see https://expressjs.com/en/guide/behind-proxies.html
-// app.set('trust proxy', 1);
-
 const limiter = rateLimit({
 	windowMs: 15 * 60 * 1000, // 15 minutes
 	max: 100, // Limit each IP to 100 requests per `window` (here, per 15 minutes)
@@ -94,10 +135,6 @@ requests:
 ```ts
 import rateLimit from 'express-rate-limit'
 
-// Enable if you're behind a reverse proxy (Heroku, Bluemix, AWS ELB, Nginx, etc)
-// see https://expressjs.com/en/guide/behind-proxies.html
-// app.set('trust proxy', 1);
-
 const apiLimiter = rateLimit({
 	windowMs: 15 * 60 * 1000, // 15 minutes
 	max: 100, // Limit each IP to 100 requests per `window` (here, per 15 minutes)
@@ -114,10 +151,6 @@ To create multiple instances to apply different rules to different endpoints:
 ```ts
 import rateLimit from 'express-rate-limit'
 
-// Enable if you're behind a reverse proxy (Heroku, Bluemix, AWS ELB, Nginx, etc)
-// see https://expressjs.com/en/guide/behind-proxies.html
-// app.set('trust proxy', 1);
-
 const apiLimiter = rateLimit({
 	windowMs: 15 * 60 * 1000, // 15 minutes
 	max: 100, // Limit each IP to 100 requests per `window` (here, per 15 minutes)
@@ -147,10 +180,6 @@ To use a custom store:
 import rateLimit from 'express-rate-limit'
 import MemoryStore from 'express-rate-limit/memory-store.js'
 
-// Enable if you're behind a reverse proxy (Heroku, Bluemix, AWS ELB, Nginx, etc)
-// see https://expressjs.com/en/guide/behind-proxies.html
-// app.set('trust proxy', 1);
-
 const apiLimiter = rateLimit({
 	windowMs: 15 * 60 * 1000, // 15 minutes
 	max: 100, // Limit each IP to 100 requests per `window` (here, per 15 minutes)
@@ -166,6 +195,38 @@ app.use('/api', apiLimiter)
 > prefixes, when using multiple instances. The default built-in memory store is
 > an exception to this rule.
 
+### Troubleshooting Proxy Issues
+
+If you are behind a proxy/load balancer (usually the case with most hosting
+services, e.g. Heroku, Bluemix, AWS ELB, Nginx, Cloudflare, Akamai, Fastly,
+Firebase Hosting, Rackspace LB, Riverbed Stingray, etc.), the IP address of the
+request might be the IP of the load balancer/reverse proxy (making the rate
+limiter effectively a global one and blocking all requests once the limit is
+reached) or `undefined`. To solve this issue, add the following line to your
+code (right after you create the express application):
+
+```ts
+app.set('trust proxy', numberOfProxies)
+```
+
+Where `numberOfProxies` is the number of proxies between the user and the
+server. To find the correct number, create a test endpoint that returns the
+client IP:
+
+```ts
+app.set('trust proxy', 1)
+app.get('/ip', (request, response) => response.send(request.ip))
+```
+
+Go to `/ip` and see the IP address returned in the response. If it matches your
+IP address (which you can get by going to http://ip.nfriedly.com/ or
+https://api.ipify.org/), then the number of proxies is correct and the rate
+limiter should now work correctly. If not, then keep increasing the number until
+it does.
+
+For more information about the `trust proxy` setting, take a look at the
+[official Express documentation](https://expressjs.com/en/guide/behind-proxies.html).
+
 ## Request API
 
 A `request.rateLimit` property is added to all requests with the `limit`,
@@ -275,9 +336,9 @@ const keyGenerator = (request /*, response*/) => request.ip
 
 The function to handle requests once the max limit is exceeded. It receives the
 `request` and the `response` objects. The `next` param is available if you need
-to pass to the next middleware/route. Finally, the `optionsUsed` param has all
-of the options that originally passed in when creating the current limiter and
-the default values for other options.
+to pass to the next middleware/route. Finally, the `options` param has all of
+the options that originally passed in when creating the current limiter and the
+default values for other options.
 
 The `request.rateLimit` object has `limit`, `current`, and `remaining` number of
 requests and, if the store provides it, a `resetTime` Date object.
@@ -285,7 +346,7 @@ requests and, if the store provides it, a `resetTime` Date object.
 Defaults to:
 
 ```ts
-const handler = (request, response, next, optionsUsed) => {
+const handler = (request, response, next, options) => {
 	response.status(options.statusCode).send(options.message)
 }
 ```

package/tsconfig.json

@@ -1,7 +1,6 @@
 {
 	"compilerOptions": {
 		"declaration": true,
-		"sourceMap": true,
 
 		"strict": true,
 		"noUnusedLocals": true,
@@ -9,9 +8,7 @@
 		"noFallthroughCasesInSwitch": true,
 
 		"moduleResolution": "node",
-		"esModuleInterop": true,
-
-		"inlineSources": true
+		"esModuleInterop": true
 	},
 	"include": ["./source/**/*.ts"],
 	"exclude": ["./node_modules"]

package/dist/cjs/index.d.ts

@@ -1,2 +0,0 @@
-export * from './types.js';
-export { default } from './lib.js';

package/dist/cjs/index.js

@@ -1,19 +0,0 @@
-"use strict";
-// /source/index.ts
-// Export away!
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
-exports.__esModule = true;
-exports["default"] = void 0;
-__exportStar(require("./types.js"), exports);
-var lib_js_1 = require("./lib.js");
-__createBinding(exports, lib_js_1, "default");
-//# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../source/index.ts"],"names":[],"mappings":";AAAA,mBAAmB;AACnB,eAAe;;;;;;;;;;;;;AAEf,6CAA0B;AAC1B,mCAAkC;AAAzB,8CAAO","sourcesContent":["// /source/index.ts\n// Export away!\n\nexport * from './types.js'\nexport { default } from './lib.js'\n"]}

package/dist/cjs/lib.d.ts

@@ -1,15 +0,0 @@
-import { Options, RateLimitRequestHandler, LegacyStore, Store } from './types.js';
-/**
- *
- * Create an instance of IP rate-limiting middleware for Express.
- *
- * @param passedOptions {Options} - Options to configure the rate limiter
- *
- * @returns {RateLimitRequestHandler} - The middleware that rate-limits clients based on your configuration
- *
- * @public
- */
-declare const rateLimit: (passedOptions?: (Omit<Partial<Options>, "store"> & {
-    store?: LegacyStore | Store | undefined;
-}) | undefined) => RateLimitRequestHandler;
-export default rateLimit;