express-rate-limit 6.11.2 → 7.0.0

package/dist/index.cjs

@@ -3,7 +3,6 @@ var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -17,10 +16,6 @@ var __copyProps = (to, from, except, desc) => {
   return to;
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var __publicField = (obj, key, value) => {
-  __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
-  return value;
-};
 
 // source/index.ts
 var source_exports = {};
@@ -97,9 +92,6 @@ var ValidationError = class extends Error {
   constructor(code, message) {
     const url = `https://express-rate-limit.github.io/${code}/`;
     super(`${message} See ${url} for more information.`);
-    __publicField(this, "name");
-    __publicField(this, "code");
-    __publicField(this, "help");
     this.name = this.constructor.name;
     this.code = code;
     this.help = url;
@@ -107,18 +99,17 @@ var ValidationError = class extends Error {
 };
 var ChangeWarning = class extends ValidationError {
 };
-var _Validations = class _Validations {
-  constructor(enabled) {
-    // eslint-disable-next-line @typescript-eslint/parameter-properties
-    __publicField(this, "enabled");
-    this.enabled = enabled;
-  }
-  enable() {
-    this.enabled = true;
-  }
+var singleCountKeys = /* @__PURE__ */ new WeakMap();
+var validations = {
+  // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+  enabled: {
+    default: true
+  },
+  // Should be EnabledValidations type, but that's a circular reference
   disable() {
-    this.enabled = false;
-  }
+    for (const k of Object.keys(this.enabled))
+      this.enabled[k] = false;
+  },
   /**
    * Checks whether the IP address is valid, and that it does not have a port
    * number in it.
@@ -130,21 +121,19 @@ var _Validations = class _Validations {
    * @returns {void}
    */
   ip(ip) {
-    this.wrap(() => {
-      if (ip === void 0) {
-        throw new ValidationError(
-          "ERR_ERL_UNDEFINED_IP_ADDRESS",
-          `An undefined 'request.ip' was detected. This might indicate a misconfiguration or the connection being destroyed prematurely.`
-        );
-      }
-      if (!(0, import_node_net.isIP)(ip)) {
-        throw new ValidationError(
-          "ERR_ERL_INVALID_IP_ADDRESS",
-          `An invalid 'request.ip' (${ip}) was detected. Consider passing a custom 'keyGenerator' function to the rate limiter.`
-        );
-      }
-    });
-  }
+    if (ip === void 0) {
+      throw new ValidationError(
+        "ERR_ERL_UNDEFINED_IP_ADDRESS",
+        `An undefined 'request.ip' was detected. This might indicate a misconfiguration or the connection being destroyed prematurely.`
+      );
+    }
+    if (!(0, import_node_net.isIP)(ip)) {
+      throw new ValidationError(
+        "ERR_ERL_INVALID_IP_ADDRESS",
+        `An invalid 'request.ip' (${ip}) was detected. Consider passing a custom 'keyGenerator' function to the rate limiter.`
+      );
+    }
+  },
   /**
    * Makes sure the trust proxy setting is not set to `true`.
    *
@@ -155,15 +144,13 @@ var _Validations = class _Validations {
    * @returns {void}
    */
   trustProxy(request) {
-    this.wrap(() => {
-      if (request.app.get("trust proxy") === true) {
-        throw new ValidationError(
-          "ERR_ERL_PERMISSIVE_TRUST_PROXY",
-          `The Express 'trust proxy' setting is true, which allows anyone to trivially bypass IP-based rate limiting.`
-        );
-      }
-    });
-  }
+    if (request.app.get("trust proxy") === true) {
+      throw new ValidationError(
+        "ERR_ERL_PERMISSIVE_TRUST_PROXY",
+        `The Express 'trust proxy' setting is true, which allows anyone to trivially bypass IP-based rate limiting.`
+      );
+    }
+  },
   /**
    * Makes sure the trust proxy setting is set in case the `X-Forwarded-For`
    * header is present.
@@ -175,31 +162,26 @@ var _Validations = class _Validations {
    * @returns {void}
    */
   xForwardedForHeader(request) {
-    this.wrap(() => {
-      if (request.headers["x-forwarded-for"] && request.app.get("trust proxy") === false) {
-        throw new ValidationError(
-          "ERR_ERL_UNEXPECTED_X_FORWARDED_FOR",
-          `The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false (default). This could indicate a misconfiguration which would prevent express-rate-limit from accurately identifying users.`
-        );
-      }
-    });
-  }
+    if (request.headers["x-forwarded-for"] && request.app.get("trust proxy") === false) {
+      throw new ValidationError(
+        "ERR_ERL_UNEXPECTED_X_FORWARDED_FOR",
+        `The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false (default). This could indicate a misconfiguration which would prevent express-rate-limit from accurately identifying users.`
+      );
+    }
+  },
   /**
    * Ensures totalHits value from store is a positive integer.
    *
    * @param hits {any} - The `totalHits` returned by the store.
    */
   positiveHits(hits) {
-    this.wrap(() => {
-      if (typeof hits !== "number" || hits < 1 || hits !== Math.round(hits)) {
-        throw new ValidationError(
-          "ERR_ERL_INVALID_HITS",
-          `The totalHits value returned from the store must be a positive integer, got ${hits}`
-          // eslint-disable-line @typescript-eslint/restrict-template-expressions
-        );
-      }
-    });
-  }
+    if (typeof hits !== "number" || hits < 1 || hits !== Math.round(hits)) {
+      throw new ValidationError(
+        "ERR_ERL_INVALID_HITS",
+        `The totalHits value returned from the store must be a positive integer, got ${hits}`
+      );
+    }
+  },
   /**
    * Ensures a given key is incremented only once per request.
    *
@@ -210,83 +192,74 @@ var _Validations = class _Validations {
    * @returns {void}
    */
   singleCount(request, store, key) {
-    this.wrap(() => {
-      var _a;
-      let storeKeys = _Validations.singleCountKeys.get(request);
-      if (!storeKeys) {
-        storeKeys = /* @__PURE__ */ new Map();
-        _Validations.singleCountKeys.set(request, storeKeys);
-      }
-      const storeKey = store.localKeys ? store : store.constructor.name;
-      let keys = storeKeys.get(storeKey);
-      if (!keys) {
-        keys = [];
-        storeKeys.set(storeKey, keys);
-      }
-      const prefixedKey = `${(_a = store.prefix) != null ? _a : ""}${key}`;
-      if (keys.includes(prefixedKey)) {
-        throw new ValidationError(
-          "ERR_ERL_DOUBLE_COUNT",
-          `The hit count for ${key} was incremented more than once for a single request.`
-        );
-      }
-      keys.push(prefixedKey);
-    });
-  }
+    let storeKeys = singleCountKeys.get(request);
+    if (!storeKeys) {
+      storeKeys = /* @__PURE__ */ new Map();
+      singleCountKeys.set(request, storeKeys);
+    }
+    const storeKey = store.localKeys ? store : store.constructor.name;
+    let keys = storeKeys.get(storeKey);
+    if (!keys) {
+      keys = [];
+      storeKeys.set(storeKey, keys);
+    }
+    const prefixedKey = `${store.prefix ?? ""}${key}`;
+    if (keys.includes(prefixedKey)) {
+      throw new ValidationError(
+        "ERR_ERL_DOUBLE_COUNT",
+        `The hit count for ${key} was incremented more than once for a single request.`
+      );
+    }
+    keys.push(prefixedKey);
+  },
   /**
-   * Warns the user that the behaviour for `max: 0` is changing in the next
+   * Warns the user that the behaviour for `max: 0` / `limit: 0` is changing in the next
    * major release.
    *
-   * @param max {number} - The maximum number of hits per client.
+   * @param limit {number} - The maximum number of hits per client.
    *
    * @returns {void}
    */
-  max(max) {
-    this.wrap(() => {
-      if (max === 0) {
-        throw new ChangeWarning(
-          "WRN_ERL_MAX_ZERO",
-          `Setting max to 0 disables rate limiting in express-rate-limit v6 and older, but will cause all requests to be blocked in v7`
-        );
-      }
-    });
-  }
+  limit(limit) {
+    if (limit === 0) {
+      throw new ChangeWarning(
+        "WRN_ERL_MAX_ZERO",
+        `Setting limit or max to 0 disables rate limiting in express-rate-limit v6 and older, but will cause all requests to be blocked in v7`
+      );
+    }
+  },
   /**
    * Warns the user that the `draft_polli_ratelimit_headers` option is deprecated
    * and will be removed in the next major release.
    *
-   * @param draft_polli_ratelimit_headers {boolean|undefined} - The now-deprecated setting that was used to enable standard headers.
+   * @param draft_polli_ratelimit_headers {any | undefined} - The now-deprecated setting that was used to enable standard headers.
    *
    * @returns {void}
    */
   draftPolliHeaders(draft_polli_ratelimit_headers) {
-    this.wrap(() => {
-      if (draft_polli_ratelimit_headers) {
-        throw new ChangeWarning(
-          "WRN_ERL_DEPRECATED_DRAFT_POLLI_HEADERS",
-          `The draft_polli_ratelimit_headers configuration option is deprecated and will be removed in express-rate-limit v7, please set standardHeaders: 'draft-6' instead.`
-        );
-      }
-    });
-  }
+    if (draft_polli_ratelimit_headers) {
+      throw new ChangeWarning(
+        "WRN_ERL_DEPRECATED_DRAFT_POLLI_HEADERS",
+        `The draft_polli_ratelimit_headers configuration option is deprecated and has been removed in express-rate-limit v7, please set standardHeaders: 'draft-6' instead.`
+      );
+    }
+  },
   /**
    * Warns the user that the `onLimitReached` option is deprecated and will be removed in the next
    * major release.
    *
-   * @param onLimitReached {function|undefined} - The maximum number of hits per client.
+   * @param onLimitReached {any | undefined} - The maximum number of hits per client.
    *
    * @returns {void}
    */
   onLimitReached(onLimitReached) {
-    this.wrap(() => {
-      if (onLimitReached) {
-        throw new ChangeWarning(
-          "WRN_ERL_DEPRECATED_ON_LIMIT_REACHED",
-          `The onLimitReached configuration option is deprecated and will be removed in express-rate-limit v7.`
-        );
-      }
-    });
-  }
+    if (onLimitReached) {
+      throw new ChangeWarning(
+        "WRN_ERL_DEPRECATED_ON_LIMIT_REACHED",
+        `The onLimitReached configuration option is deprecated and has been removed in express-rate-limit v7.`
+      );
+    }
+  },
   /**
    * Warns the user when the selected headers option requires a reset time but
    * the store does not provide one.
@@ -296,71 +269,93 @@ var _Validations = class _Validations {
    * @returns {void}
    */
   headersResetTime(resetTime) {
-    this.wrap(() => {
-      if (!resetTime) {
+    if (!resetTime) {
+      throw new ValidationError(
+        "ERR_ERL_HEADERS_NO_RESET",
+        `standardHeaders:  'draft-7' requires a 'resetTime', but the store did not provide one. The 'windowMs' value will be used instead, which may cause clients to wait longer than necessary.`
+      );
+    }
+  },
+  /**
+   * Checks the options.validate setting to ensure that only recognized validations are enabled or disabled.
+   *
+   * If any unrecognized values are found, an error is logged that includes the list of supported vaidations.
+   */
+  validationsConfig() {
+    const supportedValidations = Object.keys(this).filter(
+      (k) => !["enabled", "disable"].includes(k)
+    );
+    supportedValidations.push("default");
+    for (const key of Object.keys(this.enabled)) {
+      if (!supportedValidations.includes(key)) {
         throw new ValidationError(
-          "ERR_ERL_HEADERS_NO_RESET",
-          `standardHeaders:  'draft-7' requires a 'resetTime', but the store did not provide one. The 'windowMs' value will be used instead, which may cause clients to wait longer than necessary.`
+          "ERR_ERL_UNKNOWN_VALIDATION",
+          `options.validate.${key} is not recognized. Supported validate options are: ${supportedValidations.join(
+            ", "
+          )}.`
         );
       }
-    });
-  }
-  wrap(validation) {
-    if (!this.enabled) {
-      return;
-    }
-    try {
-      validation.call(this);
-    } catch (error) {
-      if (error instanceof ChangeWarning)
-        console.warn(error);
-      else
-        console.error(error);
     }
   }
 };
-/**
- * Maps the key used in a store for a certain request, and ensures that the
- * same key isn't used more than once per request.
- *
- * The store can be any one of the following:
- *  - An instance, for stores like the MemoryStore where two instances do not
- *    share state.
- *  - A string (class name), for stores where multiple instances
- *    typically share state, such as the Redis store.
- */
-__publicField(_Validations, "singleCountKeys", /* @__PURE__ */ new WeakMap());
-var Validations = _Validations;
+var getValidations = (_enabled) => {
+  let enabled;
+  if (typeof _enabled === "boolean") {
+    enabled = {
+      default: _enabled
+    };
+  } else {
+    enabled = {
+      default: true,
+      ..._enabled
+    };
+  }
+  const wrappedValidations = {
+    enabled
+  };
+  for (const [name, validation] of Object.entries(validations)) {
+    if (typeof validation === "function")
+      wrappedValidations[name] = (...args) => {
+        if (!(enabled[name] ?? enabled.default)) {
+          return;
+        }
+        try {
+          ;
+          validation.apply(
+            wrappedValidations,
+            args
+          );
+        } catch (error) {
+          if (error instanceof ChangeWarning)
+            console.warn(error);
+          else
+            console.error(error);
+        }
+      };
+  }
+  return wrappedValidations;
+};
 
 // source/memory-store.ts
-var calculateNextResetTime = (windowMs) => {
-  const resetTime = /* @__PURE__ */ new Date();
-  resetTime.setMilliseconds(resetTime.getMilliseconds() + windowMs);
-  return resetTime;
-};
 var MemoryStore = class {
   constructor() {
     /**
-     * The duration of time before which all hit counts are reset (in milliseconds).
-     */
-    __publicField(this, "windowMs");
-    /**
-     * The map that stores the number of hits for each client in memory.
-     */
-    __publicField(this, "hits");
-    /**
-     * The time at which all hit counts will be reset.
-     */
-    __publicField(this, "resetTime");
-    /**
-     * Reference to the active timer.
+     * These two maps store usage (requests) and reset time by key (for example, IP
+     * addresses or API keys).
+     *
+     * They are split into two to avoid having to iterate through the entire set to
+     * determine which ones need reset. Instead, `Client`s are moved from `previous`
+     * to `current` as they hit the endpoint. Once `windowMs` has elapsed, all clients
+     * left in `previous`, i.e., those that have not made any recent requests, are
+     * known to be expired and can be deleted in bulk.
      */
-    __publicField(this, "interval");
+    this.previous = /* @__PURE__ */ new Map();
+    this.current = /* @__PURE__ */ new Map();
     /**
      * Confirmation that the keys incremented in once instance of MemoryStore
      * cannot affect other instances.
      */
-    __publicField(this, "localKeys", true);
+    this.localKeys = true;
   }
   /**
    * Method that initializes the store.
@@ -369,10 +364,10 @@ var MemoryStore = class {
    */
   init(options) {
     this.windowMs = options.windowMs;
-    this.resetTime = calculateNextResetTime(this.windowMs);
-    this.hits = {};
-    this.interval = setInterval(async () => {
-      await this.resetAll();
+    if (this.interval)
+      clearInterval(this.interval);
+    this.interval = setInterval(() => {
+      this.clearExpired();
     }, this.windowMs);
     if (this.interval.unref)
       this.interval.unref();
@@ -387,12 +382,7 @@ var MemoryStore = class {
    * @public
    */
   async get(key) {
-    if (this.hits[key] !== void 0)
-      return {
-        totalHits: this.hits[key],
-        resetTime: this.resetTime
-      };
-    return void 0;
+    return this.current.get(key) ?? this.previous.get(key);
   }
   /**
    * Method to increment a client's hit counter.
@@ -404,13 +394,13 @@ var MemoryStore = class {
    * @public
    */
   async increment(key) {
-    var _a;
-    const totalHits = ((_a = this.hits[key]) != null ? _a : 0) + 1;
-    this.hits[key] = totalHits;
-    return {
-      totalHits,
-      resetTime: this.resetTime
-    };
+    const client = this.getClient(key);
+    const now = Date.now();
+    if (client.resetTime.getTime() <= now) {
+      this.resetClient(client, now);
+    }
+    client.totalHits++;
+    return client;
   }
   /**
    * Method to decrement a client's hit counter.
@@ -420,9 +410,9 @@ var MemoryStore = class {
    * @public
    */
   async decrement(key) {
-    const current = this.hits[key];
-    if (current)
-      this.hits[key] = current - 1;
+    const client = this.getClient(key);
+    if (client.totalHits > 0)
+      client.totalHits--;
   }
   /**
    * Method to reset a client's hit counter.
@@ -432,7 +422,8 @@ var MemoryStore = class {
    * @public
    */
   async resetKey(key) {
-    delete this.hits[key];
+    this.current.delete(key);
+    this.previous.delete(key);
   }
   /**
    * Method to reset everyone's hit counter.
@@ -440,8 +431,8 @@ var MemoryStore = class {
    * @public
    */
   async resetAll() {
-    this.hits = {};
-    this.resetTime = calculateNextResetTime(this.windowMs);
+    this.current.clear();
+    this.previous.clear();
   }
   /**
    * Method to stop the timer (if currently running) and prevent any memory
@@ -451,6 +442,55 @@ var MemoryStore = class {
    */
   shutdown() {
     clearInterval(this.interval);
+    void this.resetAll();
+  }
+  /**
+   * Recycles a client by setting its hit count to zero, and reset time to
+   * `windowMs` milliseconds from now.
+   *
+   * NOT to be confused with `#resetKey()`, which removes a client from both the
+   * `current` and `previous` maps.
+   *
+   * @param client {Client} - The client to recycle.
+   * @param now {number} - The current time, to which the `windowMs` is added to get the `resetTime` for the client.
+   *
+   * @return {Client} - The modified client that was passed in, to allow for chaining.
+   */
+  resetClient(client, now = Date.now()) {
+    client.totalHits = 0;
+    client.resetTime.setTime(now + this.windowMs);
+    return client;
+  }
+  /**
+   * Retrieves or creates a client, given a key. Also ensures that the client being
+   * returned is in the `current` map.
+   *
+   * @param key {string} - The key under which the client is (or is to be) stored.
+   *
+   * @returns {Client} - The requested client.
+   */
+  getClient(key) {
+    if (this.current.has(key))
+      return this.current.get(key);
+    let client;
+    if (this.previous.has(key)) {
+      client = this.previous.get(key);
+      this.previous.delete(key);
+    } else {
+      client = { totalHits: 0, resetTime: /* @__PURE__ */ new Date() };
+      this.resetClient(client);
+    }
+    this.current.set(key, client);
+    return client;
+  }
+  /**
+   * Move current clients to previous, create a new map for current.
+   *
+   * This function is called every `windowMs`.
+   */
+  clearExpired() {
+    this.previous = this.current;
+    this.current = /* @__PURE__ */ new Map();
   }
 };
 
@@ -497,10 +537,10 @@ var promisifyStore = (passedStore) => {
   return new PromisifiedStore();
 };
 var getOptionsFromConfig = (config) => {
-  const { validations, ...directlyPassableEntries } = config;
+  const { validations: validations2, ...directlyPassableEntries } = config;
   return {
     ...directlyPassableEntries,
-    validate: validations.enabled
+    validate: validations2.enabled
   };
 };
 var omitUndefinedOptions = (passedOptions) => {
@@ -514,32 +554,33 @@ var omitUndefinedOptions = (passedOptions) => {
   return omittedOptions;
 };
 var parseOptions = (passedOptions) => {
-  var _a, _b, _c, _d;
   const notUndefinedOptions = omitUndefinedOptions(passedOptions);
-  const validations = new Validations((_a = notUndefinedOptions == null ? void 0 : notUndefinedOptions.validate) != null ? _a : true);
-  validations.draftPolliHeaders(
+  const validations2 = getValidations(notUndefinedOptions?.validate ?? true);
+  validations2.validationsConfig();
+  validations2.draftPolliHeaders(
+    // @ts-expect-error see the note above.
     notUndefinedOptions.draft_polli_ratelimit_headers
   );
-  validations.onLimitReached(notUndefinedOptions.onLimitReached);
-  let standardHeaders = (_b = notUndefinedOptions.standardHeaders) != null ? _b : false;
-  if (standardHeaders === true || standardHeaders === void 0 && notUndefinedOptions.draft_polli_ratelimit_headers) {
+  validations2.onLimitReached(notUndefinedOptions.onLimitReached);
+  let standardHeaders = notUndefinedOptions.standardHeaders ?? false;
+  if (standardHeaders === true)
     standardHeaders = "draft-6";
-  }
   const config = {
     windowMs: 60 * 1e3,
-    max: 5,
+    limit: passedOptions.max ?? 5,
+    // `max` is deprecated, but support it anyways.
     message: "Too many requests, please try again later.",
     statusCode: 429,
-    legacyHeaders: (_c = passedOptions.headers) != null ? _c : true,
+    legacyHeaders: passedOptions.headers ?? true,
     requestPropertyName: "rateLimit",
     skipFailedRequests: false,
     skipSuccessfulRequests: false,
     requestWasSuccessful: (_request, response) => response.statusCode < 400,
     skip: (_request, _response) => false,
     keyGenerator(request, _response) {
-      validations.ip(request.ip);
-      validations.trustProxy(request);
-      validations.xForwardedForHeader(request);
+      validations2.ip(request.ip);
+      validations2.trustProxy(request);
+      validations2.xForwardedForHeader(request);
       return request.ip;
     },
     async handler(request, response, _next, _optionsUsed) {
@@ -552,17 +593,15 @@ var parseOptions = (passedOptions) => {
         response.send(message);
       }
     },
-    onLimitReached(_request, _response, _optionsUsed) {
-    },
     // Allow the default options to be overriden by the options passed to the middleware.
     ...notUndefinedOptions,
     // `standardHeaders` is resolved into a draft version above, use that.
     standardHeaders,
     // Note that this field is declared after the user's options are spread in,
     // so that this field doesn't get overriden with an un-promisified store!
-    store: promisifyStore((_d = notUndefinedOptions.store) != null ? _d : new MemoryStore()),
+    store: promisifyStore(notUndefinedOptions.store ?? new MemoryStore()),
     // Print an error to the console if a few known misconfigurations are detected.
-    validations
+    validations: validations2
   };
   if (typeof config.store.increment !== "function" || typeof config.store.decrement !== "function" || typeof config.store.resetKey !== "function" || config.store.resetAll !== void 0 && typeof config.store.resetAll !== "function" || config.store.init !== void 0 && typeof config.store.init !== "function") {
     throw new TypeError(
@@ -579,8 +618,7 @@ var handleAsyncErrors = (fn) => async (request, response, next) => {
   }
 };
 var rateLimit = (passedOptions) => {
-  var _a;
-  const config = parseOptions(passedOptions != null ? passedOptions : {});
+  const config = parseOptions(passedOptions ?? {});
   const options = getOptionsFromConfig(config);
   if (typeof config.store.init === "function")
     config.store.init(options);
@@ -596,15 +634,20 @@ var rateLimit = (passedOptions) => {
       const { totalHits, resetTime } = await config.store.increment(key);
       config.validations.positiveHits(totalHits);
       config.validations.singleCount(request, config.store, key);
-      const retrieveQuota = typeof config.max === "function" ? config.max(request, response) : config.max;
-      const maxHits = await retrieveQuota;
-      config.validations.max(maxHits);
+      const retrieveLimit = typeof config.limit === "function" ? config.limit(request, response) : config.limit;
+      const limit = await retrieveLimit;
+      config.validations.limit(limit);
       const info = {
-        limit: maxHits,
-        current: totalHits,
-        remaining: Math.max(maxHits - totalHits, 0),
+        limit,
+        used: totalHits,
+        remaining: Math.max(limit - totalHits, 0),
         resetTime
       };
+      Object.defineProperty(info, "current", {
+        configurable: false,
+        enumerable: false,
+        value: totalHits
+      });
       augmentedRequest[config.requestPropertyName] = info;
       if (config.legacyHeaders && !response.headersSent) {
         setLegacyHeaders(response, info);
@@ -645,11 +688,8 @@ var rateLimit = (passedOptions) => {
           });
         }
       }
-      if (maxHits && totalHits === maxHits + 1) {
-        config.onLimitReached(request, response, options);
-      }
       config.validations.disable();
-      if (maxHits && totalHits > maxHits) {
+      if (totalHits > limit) {
         if (config.legacyHeaders || config.standardHeaders) {
           setRetryAfterHeader(response, info, config.windowMs);
         }
@@ -660,7 +700,7 @@ var rateLimit = (passedOptions) => {
     }
   );
   middleware.resetKey = config.store.resetKey.bind(config.store);
-  middleware.getKey = (_a = config.store.get) == null ? void 0 : _a.bind(
+  middleware.getKey = config.store.get?.bind(
     config.store
   );
   return middleware;