express-throttle
v2.0.0
Published
Request throttling middleware for Express
Downloads
24,862
Maintainers
Readme
express-throttle
Request throttling middleware for Express framework
Installation
$ npm install express-throttle
Implementation
The throttling is done using the canonical token bucket algorithm, where tokens are "refilled" in a sliding window manner by default (can be configured to fixed time windows). This means that if we a set maximum rate of 10 requests / minute, a client will not be able to send 10 requests 0:59, and 10 more 1:01. However, if the client sends 10 requests at 0:30, he will be able to send a new request at 0:36 (since tokens are refilled continuously 1 every 6 seconds).
Limitations
By default, throttling data is stored in memory and is thus not shared between multiple processes. If your application is behind a load balancer which distributes traffic among several node processes, then throttling will be applied per process, which is generally not what you want (unless you can ensure that a client always hits the same process). It is possible to customize the storage so that the throttling data gets saved to a shared backend (e.g Redis). However, the current implementation contains a race-condition and will likely fail (erroneously allow/block certain requests) under high load. My plan is to address this shortcoming in future versions.
TL;DR - Use this package in production at your own risk, beware of the limitations.
- If you are running node as single process = you should be fine
- If you are running node as multiple processes = be aware that throttling is done per process
- If you have configured to use an external backend = some requests may erroneously be throttled (or passed through) under high load conditions
Examples
var express = require("express");
var throttle = require("express-throttle");
var app = express();
// Allow 5 requests at any rate with an average rate of 5/s
app.post("/search", throttle({ "rate": "5/s" }), function(req, res, next) {
// ...
});
// Allow 5 requests at any rate during a fixed time window of 1 sec
app.post("/search", throttle({ "burst": 5, "period": "1s" }), function(req, res, next) {
// ...
});
Combine it with a burst capacity of 10, meaning that the client can make 10 requests at any rate. The burst capacity is "refilled" with the specified rate (in this case 5/s).
app.post("/search", throttle({ "burst": 10, "rate": "5/s" }), function(req, res, next) {
// ...
});
// "Half" requests are supported as well (1 request every other second)
app.post("/search", throttle({ "burst": 5, "rate": "1/2s" }), function(req, res, next) {
// ...
});
By default, throttling is done on a per ip-address basis (see this link about how the ip address is extracted from the request). This can be configured by providing a custom key-function:
var options = {
"burst": 10,
"rate": "5/s",
"key": function(req) {
return req.session.username;
}
};
app.post("/search", throttle(options), function(req, res, next) {
// ...
});
The "cost" per request can also be customized, making it possible to, for example whitelist certain requests:
var whitelist = ["ip-1", "ip-2", ...];
var options = {
"burst": 10,
"rate": "5/s",
"cost": function(req) {
var ip_address = req.connection.remoteAddress;
if (whitelist.indexOf(ip_address) >= 0) {
return 0;
} else if (req.session.is_privileged_user) {
return 0.5;
} else {
return 1;
}
}
};
app.post("/search", throttle(options), function(req, res, next) {
// ...
});
var options = {
"rate": "1/s",
"burst": 10,
"cost": 2.5 // fixed costs are also supported
};
app.post("/expensive", throttle(options), function(req, res, next) {
// ...
});
Throttled requests will simply be responded with an empty 429 response. This can be overridden:
var options = {
"burst": 5
"period": "1min",
"on_throttled": function(req, res, next, bucket) {
// Possible course of actions:
// 1) Log request
// 2) Add client ip address to a ban list
// 3) Send back more information
res.set("X-Rate-Limit-Limit", 5);
res.set("X-Rate-Limit-Remaining", 0);
// bucket.etime = expiration time in Unix epoch ms, only available
// for fixed time windows
res.set("X-Rate-Limit-Reset", bucket.etime);
res.status(503).send("System overloaded, try again at a later time.");
}
};
You may also customize the response on requests that are passed through:
var options = {
"rate": "5/s",
"on_allowed": function(req, res, next, bucket) {
res.set("X-Rate-Limit-Limit", 5);
res.set("X-Rate-Limit-Remaining", bucket.tokens);
}
}
Throttling can be applied across multiple processes. This requires an external storage mechanism which can be configured as follows:
function ExternalStorage(connection_settings) {
// ...
}
// These methods must be implemented
ExternalStorage.prototype.get = function(key, callback) {
fetch(key, function(bucket) {
// First argument should be null if no errors occurred
callback(null, bucket);
});
}
ExternalStorage.prototype.set = function(key, bucket, lifetime, callback) {
save(key, bucket, function(err) {
// err should be null if no errors occurred
callback(err);
});
}
var options = {
"rate": "5/s",
"store": new ExternalStorage()
}
app.post("/search", throttle(options), function(req, res, next) {
// ...
});
Options
burst
: The number of requests that can be made at any rate. Defaults to X as defined below for rolling windows.
rate
: Determines the rate at which the burst quota is "refilled". This will control the average number of requests per time unit. Must be specified according to the following format: X/Yt
where X and Y are integers and t is the time unit which can be any of the following: ms, s, sec, m, min, h, hour, d, day
E.g 5/s, 180/15min, 1000/d
period
: The duration of the time window after which the entire burst quota is refilled. Must be specified according to the following format: Y/t, where Y and t are defined as above.
E.g 5s, 15min, 1000d
store
: Custom storage class. Must implement a get
and set
method with the following signatures:
// callback in both methods must be called with an error (if any) as first argument
function get(key, callback) {
fetch(key, function(err, bucket) {
if (err) callback(err);
else callback(null, bucket);
});
}
function set(key, bucket, callback) {
// 'bucket' will be an object with the following structure:
/*
{
"tokens": Number, (current number of tokens)
"mtime": Number, (last modification time)
"etime": Number (expiration time, only available for fixed time windows)
}
*/
save(key, bucket, function(err) {
callback(err);
}
}
Defaults to an LRU cache with a maximum of 10000 entries.
store_size
: Determines the maximum number of entries for the default in-memory LRU cache. 0 indicates no limit, not recommended, since entries in the cache are not expired / cleaned up / garbage collected.
key
: Function used to identify clients. It will be called with an express request object. Defaults to:
function(req) {
return req.ip; // http://expressjs.com/en/api.html#req.ip
}
cost
: Number or function used to calculate the cost for a request with an express request object. Defaults to 1.
on_allowed
: A function called when the request is passed through with an express request object, express response object, next
function and a bucket
object. Defaults to:
function(req, res, next, bucket) {
next();
}
on_throttled
: A function called when the request is throttled with an express request object, express response object, next
function and a bucket
object. Defaults to:
function(req, res, next, bucket) {
res.status(429).end();
};