rate-limiter-flexible 11.1.0 → 11.2.0

package/lib/RateLimiterAbstract.js

@@ -68,11 +68,19 @@ module.exports = class RateLimiterAbstract {
   }
 
   get execEvenlyMinDelayMs() {
-    return this._execEvenlyMinDelayMs;
+    return this._execEvenlyMinDelayMs === undefined
+      ? this._getExecEvenlyMinDelayMsDefault()
+      : this._execEvenlyMinDelayMs;
   }
 
   set execEvenlyMinDelayMs(value) {
-    this._execEvenlyMinDelayMs = typeof value === 'undefined' ? Math.ceil(this.msDuration / this.points) : value;
+    this._execEvenlyMinDelayMs = value;
+  }
+
+  _getExecEvenlyMinDelayMsDefault() {
+    return this.points > 0
+      ? Math.ceil(this.msDuration / this.points)
+      : 0;
   }
 
   get keyPrefix() {

package/lib/RateLimiterMemory.js

@@ -29,7 +29,7 @@ class RateLimiterMemory extends RateLimiterAbstract {
           res = this._memoryStorage.set(rlKey, res.consumedPoints, this.blockDuration);
         }
         reject(res);
-      } else if (this.execEvenly && res.msBeforeNext > 0 && !res.isFirstInDuration) {
+      } else if (this.execEvenly && this.points > 0 && res.msBeforeNext > 0 && !res.isFirstInDuration) {
         // Execute evenly
         let delay = Math.ceil(res.msBeforeNext / (res.remainingPoints + 2));
         if (delay < this.execEvenlyMinDelayMs) {

package/lib/RateLimiterPostgres.js

@@ -262,7 +262,13 @@ class RateLimiterPostgres extends RateLimiterStoreAbstract {
 
   _query(q) {
     const prefix = this.tableName.toLowerCase();
-    const queryObj = { name: `${prefix}:${q.name}`, text: q.text, values: q.values };
+    const queryObj = { text: q.text, values: q.values };
+    // Only name the prepared statement when a name is provided. The one-off
+    // create-table query passes no name, and naming it `${prefix}:undefined`
+    // pollutes the prepared-statement cache (see #196).
+    if (q.name) {
+      queryObj.name = `${prefix}:${q.name}`;
+    }
     return new Promise((resolve, reject) => {
       this._getConnection()
         .then((conn) => {

package/lib/RateLimiterQueue.js

@@ -25,7 +25,7 @@ module.exports = class RateLimiterQueue {
     }
   }
 
-  removeTokens(tokens, key = KEY_DEFAULT) {
+  removeTokens(tokens, key = KEY_DEFAULT, expiresUnixAt = 0) {
     if (!this._queueLimiters[key]) {
       this._queueLimiters[key] = new RateLimiterQueueInternal(
         this._limiterFlexible, {
@@ -34,7 +34,7 @@ module.exports = class RateLimiterQueue {
         })
     }
 
-    return this._queueLimiters[key].removeTokens(tokens)
+    return this._queueLimiters[key].removeTokens(tokens, expiresUnixAt)
   }
 };
 
@@ -48,6 +48,12 @@ class RateLimiterQueueInternal {
     this._waitTimeout = null;
     this._queue = [];
     this._limiterFlexible = limiterFlexible;
+    // Set to true once a request carrying an expiration deadline
+    // (expiresUnixAt > 0) has been queued. While false, _processFIFO skips the
+    // expiry sweep entirely, so projects that never pass expiresUnixAt pay no
+    // extra cost. It is only ever set, never cleared by the sweep (see
+    // _processFIFO for why clearing it would be unsafe).
+    this._hasExpiringRequests = false;
 
     this._maxQueueSize = opts.maxQueueSize
   }
@@ -59,7 +65,7 @@ class RateLimiterQueueInternal {
       })
   }
 
-  removeTokens(tokens) {
+  removeTokens(tokens, expiresUnixAt = 0) {
     const _this = this;
 
     return new Promise((resolve, reject) => {
@@ -69,7 +75,7 @@ class RateLimiterQueueInternal {
       }
 
       if (_this._queue.length > 0) {
-        _this._queueRequest.call(_this, resolve, reject, tokens);
+        _this._queueRequest.call(_this, resolve, reject, tokens, expiresUnixAt);
       } else {
         _this._limiterFlexible.consume(_this._key, tokens)
           .then((res) => {
@@ -79,7 +85,7 @@ class RateLimiterQueueInternal {
             if (rej instanceof Error) {
               reject(rej);
             } else {
-              _this._queueRequest.call(_this, resolve, reject, tokens);
+              _this._queueRequest.call(_this, resolve, reject, tokens, expiresUnixAt);
               if (_this._waitTimeout === null) {
                 _this._waitTimeout = setTimeout(_this._processFIFO.bind(_this), rej.msBeforeNext);
               }
@@ -89,10 +95,13 @@ class RateLimiterQueueInternal {
     })
   }
 
-  _queueRequest(resolve, reject, tokens) {
+  _queueRequest(resolve, reject, tokens, expiresUnixAt = 0) {
     const _this = this;
     if (_this._queue.length < _this._maxQueueSize) {
-      _this._queue.push({resolve, reject, tokens});
+      _this._queue.push({resolve, reject, tokens, expiresUnixAt});
+      if (expiresUnixAt > 0) {
+        _this._hasExpiringRequests = true;
+      }
     } else {
       reject(new RateLimiterQueueError(`Number of requests reached it's maximum ${_this._maxQueueSize}`))
     }
@@ -106,6 +115,28 @@ class RateLimiterQueueInternal {
       _this._waitTimeout = null;
     }
 
+    // Reject any queued requests that have reached their expiration deadline
+    // (expiresUnixAt, in Unix seconds) before they could be fulfilled. The
+    // sweep is skipped until a request with a deadline has been queued, so
+    // projects that never pass expiresUnixAt keep the original O(1) cost here.
+    //
+    // The flag is deliberately only ever set, never cleared from a snapshot of
+    // _queue: while a request is being consumed it is momentarily shift()ed out
+    // of _queue and may be unshift()ed back by the rate-limit retry path below
+    // (without going through _queueRequest). Clearing the flag from a snapshot
+    // that excludes such an in-flight request could strand it with the sweep
+    // permanently disabled, so it would never expire.
+    if (_this._hasExpiringRequests) {
+      const nowSecs = Math.floor(Date.now() / 1000);
+      _this._queue = _this._queue.filter((item) => {
+        if (item.expiresUnixAt > 0 && nowSecs >= item.expiresUnixAt) {
+          item.reject(new RateLimiterQueueError('The request to remove tokens expired before it could be fulfilled'));
+          return false;
+        }
+        return true;
+      });
+    }
+
     if (_this._queue.length === 0) {
       return;
     }

package/lib/RateLimiterStoreAbstract.js

@@ -79,7 +79,7 @@ module.exports = class RateLimiterStoreAbstract extends RateLimiterInsuredAbstra
         .catch((err) => {
           reject(err);
         });
-    } else if (this.execEvenly && res.msBeforeNext > 0 && !res.isFirstInDuration) {
+    } else if (this.execEvenly && this.points > 0 && res.msBeforeNext > 0 && !res.isFirstInDuration) {
       let delay = Math.ceil(res.msBeforeNext / (res.remainingPoints + 2));
       if (delay < this.execEvenlyMinDelayMs) {
         delay = res.consumedPoints * this.execEvenlyMinDelayMs;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rate-limiter-flexible",
-  "version": "11.1.0",
+  "version": "11.2.0",
   "description": "Node.js atomic and non-atomic counters, rate limiting tools, protection from DoS and brute-force attacks at scale",
   "main": "index.js",
   "scripts": {

package/types.d.ts

@@ -514,7 +514,16 @@ export class RateLimiterQueue {
 
     getTokensRemaining(key?: string | number): Promise<number>;
 
-    removeTokens(tokens: number, key?: string | number): Promise<number>;
+    /**
+     * Remove tokens from the queue.
+     *
+     * @param tokens Number of tokens to remove.
+     * @param key Optional queue key for separate FIFO queues.
+     * @param expiresUnixAt Optional absolute deadline as a Unix timestamp in
+     *   seconds. If the request is still queued when this time is reached, it is
+     *   rejected with a `RateLimiterQueueError`. Defaults to `0` (never expires).
+     */
+    removeTokens(tokens: number, key?: string | number, expiresUnixAt?: number): Promise<number>;
 }
 
 export class BurstyRateLimiter {