express-rate-limit 6.7.0 → 6.8.0

package/changelog.md

@@ -6,15 +6,38 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to
 [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [6.8.0](https://github.com/express-rate-limit/express-rate-limit/releases/tag/v6.8.0)
+
+### Changed
+
+- Added a set of validation checks to execute on the first request. (See
+  [#358](https://github.com/express-rate-limit/express-rate-limit/issues/358))
+
+## [6.7.1](https://github.com/express-rate-limit/express-rate-limit/releases/tag/v6.7.1)
+
+### Fixed
+
+- Fixed compatibility with TypeScript's TypeScript new `node16` module
+  resolution strategy (See
+  [#355](https://github.com/express-rate-limit/express-rate-limit/issues/355))
+
+### Changed
+
+- Bumped development dependencies.
+- Added `node` 20 to list of versions the CI jobs run on.
+
+No functional changes.
+
 ## [6.7.0](https://github.com/express-rate-limit/express-rate-limit/releases/tag/v6.7.0)
 
 ### Changed
 
-- Updated links to point to new express-rate-limit organization on GitHub.
-- Added advertisement to Readme for project sponsor
+- Updated links to point to the new `express-rate-limit` organization on GitHub.
+- Added advertisement to `readme.md` for project sponsor
   [Zuplo](https://zuplo.link/express-rate-limit).
-- Updated TypeScript version and other dev dependencies
-- Changed CI test suite: dropped node.js 12, added node.js 19
+- Updated to `typescript` version 5 and bumped other dependencies.
+- Dropped `node` 12, and added `node` 19 to the list of versions the CI jobs run
+  on.
 
 No functional changes.
 

package/dist/index.cjs

@@ -3,6 +3,7 @@ var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -16,6 +17,10 @@ var __copyProps = (to, from, except, desc) => {
   return to;
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __publicField = (obj, key, value) => {
+  __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
+  return value;
+};
 
 // source/index.ts
 var source_exports = {};
@@ -26,13 +31,146 @@ __export(source_exports, {
 });
 module.exports = __toCommonJS(source_exports);
 
+// source/validations.ts
+var import_node_net = require("net");
+var ValidationError = class extends Error {
+  /**
+   * The code must be a string, in snake case and all capital, that starts with
+   * the substring `ERR_ERL_`.
+   *
+   * The message must be a string, starting with a lowercase character,
+   * describing the issue in detail.
+   */
+  constructor(code, message) {
+    super(
+      `express-rate-limit: ${code} - ${message} See https://github.com/express-rate-limit/express-rate-limit/wiki/Error-Codes#${code.toLowerCase()} for more information on this error.`
+    );
+    __publicField(this, "name");
+    __publicField(this, "code");
+    this.name = this.constructor.name;
+    this.code = code;
+    this.message = message;
+  }
+};
+var Validations = class {
+  constructor(enabled) {
+    // eslint-disable-next-line @typescript-eslint/parameter-properties
+    __publicField(this, "enabled");
+    this.enabled = enabled;
+  }
+  enable() {
+    this.enabled = true;
+  }
+  disable() {
+    this.enabled = false;
+  }
+  /**
+   * Checks whether the IP address is valid, and that it does not have a port
+   * number in it.
+   *
+   * See https://github.com/express-rate-limit/express-rate-limit/wiki/Error-Codes#err_erl_invalid_ip_address.
+   *
+   * @param ip {string | undefined} - The IP address provided by Express as request.ip.
+   *
+   * @returns {void}
+   */
+  ip(ip) {
+    this.wrap(() => {
+      if (ip === void 0) {
+        throw new ValidationError(
+          "ERR_ERL_UNDEFINED_IP_ADDRESS",
+          `An undefined 'request.ip' was detected. This might indicate a misconfiguration or the connection being destroyed prematurely.`
+        );
+      }
+      if (!(0, import_node_net.isIP)(ip)) {
+        throw new ValidationError(
+          "ERR_ERL_INVALID_IP_ADDRESS",
+          `An invalid 'request.ip' (${ip}) was detected. Consider passing a custom 'keyGenerator' function to the rate limiter.`
+        );
+      }
+    });
+  }
+  /**
+   * Makes sure the trust proxy setting is not set to `true`.
+   *
+   * See https://github.com/express-rate-limit/express-rate-limit/wiki/Error-Codes#err_erl_permissive_trust_proxy.
+   *
+   * @param request {Request} - The Express request object.
+   *
+   * @returns {void}
+   */
+  trustProxy(request) {
+    this.wrap(() => {
+      if (request.app.get("trust proxy") === true) {
+        throw new ValidationError(
+          "ERR_ERL_PERMISSIVE_TRUST_PROXY",
+          `The Express 'trust proxy' setting is true, which allows anyone to trivially bypass IP-based rate limiting.`
+        );
+      }
+    });
+  }
+  /**
+   * Makes sure the trust proxy setting is set in case the `X-Forwarded-For`
+   * header is present.
+   *
+   * See https://github.com/express-rate-limit/express-rate-limit/wiki/Error-Codes#err_erl_unset_trust_proxy.
+   *
+   * @param request {Request} - The Express request object.
+   *
+   * @returns {void}
+   */
+  xForwardedForHeader(request) {
+    this.wrap(() => {
+      if (request.headers["x-forwarded-for"] && request.app.get("trust proxy") === false) {
+        throw new ValidationError(
+          "ERR_ERL_UNEXPECTED_X_FORWARDED_FOR",
+          `The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false (default). This could indicate a misconfiguration which would prevent express-rate-limit from accurately identifying users.`
+        );
+      }
+    });
+  }
+  wrap(validation) {
+    if (!this.enabled) {
+      return;
+    }
+    try {
+      validation.call(this);
+    } catch (error) {
+      console.error(error);
+    }
+  }
+};
+
 // source/memory-store.ts
 var calculateNextResetTime = (windowMs) => {
-  const resetTime = new Date();
+  const resetTime = /* @__PURE__ */ new Date();
   resetTime.setMilliseconds(resetTime.getMilliseconds() + windowMs);
   return resetTime;
 };
 var MemoryStore = class {
+  constructor() {
+    /**
+     * The duration of time before which all hit counts are reset (in milliseconds).
+     */
+    __publicField(this, "windowMs");
+    /**
+     * The map that stores the number of hits for each client in memory.
+     */
+    __publicField(this, "hits");
+    /**
+     * The time at which all hit counts will be reset.
+     */
+    __publicField(this, "resetTime");
+    /**
+     * Reference to the active timer.
+     */
+    __publicField(this, "interval");
+  }
+  /**
+   * Method that initializes the store.
+   *
+   * @param options {Options} - The options used to setup the middleware.
+   */
   init(options) {
     this.windowMs = options.windowMs;
     this.resetTime = calculateNextResetTime(this.windowMs);
@@ -43,6 +181,15 @@ var MemoryStore = class {
     if (this.interval.unref)
       this.interval.unref();
   }
+  /**
+   * Method to increment a client's hit counter.
+   *
+   * @param key {string} - The identifier for a client.
+   *
+   * @returns {IncrementResponse} - The number of hits and reset time for that client.
+   *
+   * @public
+   */
   async increment(key) {
     var _a;
     const totalHits = ((_a = this.hits[key]) != null ? _a : 0) + 1;
@@ -52,25 +199,54 @@ var MemoryStore = class {
       resetTime: this.resetTime
     };
   }
+  /**
+   * Method to decrement a client's hit counter.
+   *
+   * @param key {string} - The identifier for a client.
+   *
+   * @public
+   */
   async decrement(key) {
     const current = this.hits[key];
     if (current)
       this.hits[key] = current - 1;
   }
+  /**
+   * Method to reset a client's hit counter.
+   *
+   * @param key {string} - The identifier for a client.
+   *
+   * @public
+   */
   async resetKey(key) {
     delete this.hits[key];
   }
+  /**
+   * Method to reset everyone's hit counter.
+   *
+   * @public
+   */
   async resetAll() {
     this.hits = {};
     this.resetTime = calculateNextResetTime(this.windowMs);
   }
+  /**
+   * Method to stop the timer (if currently running) and prevent any memory
+   * leaks.
+   *
+   * @public
+   */
   shutdown() {
     clearInterval(this.interval);
   }
 };
 
 // source/lib.ts
-var isLegacyStore = (store) => typeof store.incr === "function" && typeof store.increment !== "function";
+var isLegacyStore = (store) => (
+  // Check that `incr` exists but `increment` does not - store authors might want
+  // to keep both around for backwards compatibility.
+  typeof store.incr === "function" && typeof store.increment !== "function"
+);
 var promisifyStore = (passedStore) => {
   if (!isLegacyStore(passedStore)) {
     return passedStore;
@@ -102,27 +278,43 @@ var promisifyStore = (passedStore) => {
   }
   return new PromisifiedStore();
 };
+var getOptionsFromConfig = (config) => {
+  const { validations, ...directlyPassableEntries } = config;
+  return {
+    ...directlyPassableEntries,
+    validate: validations.enabled
+  };
+};
+var omitUndefinedOptions = (passedOptions) => {
+  const omittedOptions = {};
+  for (const k of Object.keys(passedOptions)) {
+    const key = k;
+    if (passedOptions[key] !== void 0) {
+      omittedOptions[key] = passedOptions[key];
+    }
+  }
+  return omittedOptions;
+};
 var parseOptions = (passedOptions) => {
-  var _a, _b, _c;
+  var _a, _b, _c, _d;
   const notUndefinedOptions = omitUndefinedOptions(passedOptions);
+  const validations = new Validations((_a = notUndefinedOptions == null ? void 0 : notUndefinedOptions.validate) != null ? _a : true);
   const config = {
     windowMs: 60 * 1e3,
     max: 5,
     message: "Too many requests, please try again later.",
     statusCode: 429,
-    legacyHeaders: (_a = passedOptions.headers) != null ? _a : true,
-    standardHeaders: (_b = passedOptions.draft_polli_ratelimit_headers) != null ? _b : false,
+    legacyHeaders: (_b = passedOptions.headers) != null ? _b : true,
+    standardHeaders: (_c = passedOptions.draft_polli_ratelimit_headers) != null ? _c : false,
     requestPropertyName: "rateLimit",
     skipFailedRequests: false,
     skipSuccessfulRequests: false,
     requestWasSuccessful: (_request, response) => response.statusCode < 400,
     skip: (_request, _response) => false,
     keyGenerator(request, _response) {
-      if (!request.ip) {
-        console.error(
-          "WARN | `express-rate-limit` | `request.ip` is undefined. You can avoid this by providing a custom `keyGenerator` function, but it may be indicative of a larger issue."
-        );
-      }
+      validations.ip(request.ip);
+      validations.trustProxy(request);
+      validations.xForwardedForHeader(request);
       return request.ip;
     },
     async handler(request, response, _next, _optionsUsed) {
@@ -137,10 +329,15 @@ var parseOptions = (passedOptions) => {
     },
     onLimitReached(_request, _response, _optionsUsed) {
     },
+    // Allow the options object to be overriden by the options passed to the middleware.
     ...notUndefinedOptions,
-    store: promisifyStore((_c = notUndefinedOptions.store) != null ? _c : new MemoryStore())
+    // Note that this field is declared after the user's options are spread in,
+    // so that this field doesn't get overriden with an un-promisified store!
+    store: promisifyStore((_d = notUndefinedOptions.store) != null ? _d : new MemoryStore()),
+    // Print an error to the console if a few known misconfigurations are detected.
+    validations
   };
-  if (typeof config.store.increment !== "function" || typeof config.store.decrement !== "function" || typeof config.store.resetKey !== "function" || typeof config.store.resetAll !== "undefined" && typeof config.store.resetAll !== "function" || typeof config.store.init !== "undefined" && typeof config.store.init !== "function") {
+  if (typeof config.store.increment !== "function" || typeof config.store.decrement !== "function" || typeof config.store.resetKey !== "function" || config.store.resetAll !== void 0 && typeof config.store.resetAll !== "function" || config.store.init !== void 0 && typeof config.store.init !== "function") {
     throw new TypeError(
       "An invalid store was passed. Please ensure that the store is a class that implements the `Store` interface."
     );
@@ -155,46 +352,47 @@ var handleAsyncErrors = (fn) => async (request, response, next) => {
   }
 };
 var rateLimit = (passedOptions) => {
-  const options = parseOptions(passedOptions != null ? passedOptions : {});
-  if (typeof options.store.init === "function")
-    options.store.init(options);
+  const config = parseOptions(passedOptions != null ? passedOptions : {});
+  const options = getOptionsFromConfig(config);
+  if (typeof config.store.init === "function")
+    config.store.init(options);
   const middleware = handleAsyncErrors(
     async (request, response, next) => {
-      const skip = await options.skip(request, response);
+      const skip = await config.skip(request, response);
       if (skip) {
         next();
         return;
       }
       const augmentedRequest = request;
-      const key = await options.keyGenerator(request, response);
-      const { totalHits, resetTime } = await options.store.increment(key);
-      const retrieveQuota = typeof options.max === "function" ? options.max(request, response) : options.max;
+      const key = await config.keyGenerator(request, response);
+      const { totalHits, resetTime } = await config.store.increment(key);
+      const retrieveQuota = typeof config.max === "function" ? config.max(request, response) : config.max;
       const maxHits = await retrieveQuota;
-      augmentedRequest[options.requestPropertyName] = {
+      augmentedRequest[config.requestPropertyName] = {
         limit: maxHits,
         current: totalHits,
         remaining: Math.max(maxHits - totalHits, 0),
         resetTime
       };
-      if (options.legacyHeaders && !response.headersSent) {
+      if (config.legacyHeaders && !response.headersSent) {
         response.setHeader("X-RateLimit-Limit", maxHits);
         response.setHeader(
           "X-RateLimit-Remaining",
-          augmentedRequest[options.requestPropertyName].remaining
+          augmentedRequest[config.requestPropertyName].remaining
         );
         if (resetTime instanceof Date) {
-          response.setHeader("Date", new Date().toUTCString());
+          response.setHeader("Date", (/* @__PURE__ */ new Date()).toUTCString());
           response.setHeader(
             "X-RateLimit-Reset",
             Math.ceil(resetTime.getTime() / 1e3)
           );
         }
       }
-      if (options.standardHeaders && !response.headersSent) {
+      if (config.standardHeaders && !response.headersSent) {
         response.setHeader("RateLimit-Limit", maxHits);
         response.setHeader(
           "RateLimit-Remaining",
-          augmentedRequest[options.requestPropertyName].remaining
+          augmentedRequest[config.requestPropertyName].remaining
         );
         if (resetTime) {
           const deltaSeconds = Math.ceil(
@@ -203,17 +401,17 @@ var rateLimit = (passedOptions) => {
           response.setHeader("RateLimit-Reset", Math.max(0, deltaSeconds));
         }
       }
-      if (options.skipFailedRequests || options.skipSuccessfulRequests) {
+      if (config.skipFailedRequests || config.skipSuccessfulRequests) {
         let decremented = false;
         const decrementKey = async () => {
           if (!decremented) {
-            await options.store.decrement(key);
+            await config.store.decrement(key);
             decremented = true;
           }
         };
-        if (options.skipFailedRequests) {
+        if (config.skipFailedRequests) {
           response.on("finish", async () => {
-            if (!options.requestWasSuccessful(request, response))
+            if (!config.requestWasSuccessful(request, response))
               await decrementKey();
           });
           response.on("close", async () => {
@@ -224,38 +422,34 @@ var rateLimit = (passedOptions) => {
             await decrementKey();
           });
         }
-        if (options.skipSuccessfulRequests) {
+        if (config.skipSuccessfulRequests) {
           response.on("finish", async () => {
-            if (options.requestWasSuccessful(request, response))
+            if (config.requestWasSuccessful(request, response))
               await decrementKey();
           });
         }
       }
       if (maxHits && totalHits === maxHits + 1) {
-        options.onLimitReached(request, response, options);
+        config.onLimitReached(request, response, options);
       }
+      config.validations.disable();
       if (maxHits && totalHits > maxHits) {
-        if ((options.legacyHeaders || options.standardHeaders) && !response.headersSent) {
-          response.setHeader("Retry-After", Math.ceil(options.windowMs / 1e3));
+        if ((config.legacyHeaders || config.standardHeaders) && !response.headersSent) {
+          response.setHeader("Retry-After", Math.ceil(config.windowMs / 1e3));
         }
-        options.handler(request, response, next, options);
+        config.handler(request, response, next, options);
         return;
       }
       next();
     }
   );
-  middleware.resetKey = options.store.resetKey.bind(options.store);
+  middleware.resetKey = config.store.resetKey.bind(config.store);
   return middleware;
 };
-var omitUndefinedOptions = (passedOptions) => {
-  const omittedOptions = {};
-  for (const k of Object.keys(passedOptions)) {
-    const key = k;
-    if (passedOptions[key] !== void 0) {
-      omittedOptions[key] = passedOptions[key];
-    }
-  }
-  return omittedOptions;
-};
 var lib_default = rateLimit;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  MemoryStore,
+  rateLimit
+});
 module.exports = rateLimit; module.exports.default = rateLimit; module.exports.rateLimit = rateLimit; module.exports.MemoryStore = MemoryStore;