npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

nestjs-multi-throttler

v1.0.2

Published

A NestJS package that provides a multi-rate limit handler for efficient and scalable server-side applications. It allows you to easily configure and manage multiple rate limits, such as requests per minute or requests per hour, with support for different

Downloads

5

Readme

npm version npm download

Description

NestJS Multi-Throttler is a powerful rate limiting package for NestJS applications that supports both Express and Fastify frameworks. It allows you to easily implement rate limiting functionality to control the number of requests your application can handle within a specific time frame.

Features

Supports rate limiting for Express and Fastify frameworks. Provides options for defining custom time rates for rate limiting. Based on the nestjs/throttler project.

Installation

$ npm i --save nestjs-multi-throttler

or

yarn add nestjs-multi-throttler

Table of Contents

Usage

To start using NestJS Multi-Throttler, you need to import the ThrottlerModule into your application module and configure it with your desired rate limit options.

import { Module } from '@nestjs/common';
import { ThrottlerModule } from 'nestjs-multi-throttler';

@Module({
  imports: [
    ThrottlerModule.forRoot({
      limits: [
        { timeUnit: 'second', limit: 10 }, // Example rate limit configuration
        { timeUnit: 'minute', limit: 100 },
        { timeUnit: 'hour', limit: 200 },
        { timeUnit: 'day', limit: 300 },
        { timeUnit: 'week', limit: 1000 },
        { timeUnit: 1200, limit: 150 }, // custom configuration 1200 seconds ie. 20 mins 
      ],
      
      // Below are possible options on how to configure the storage service.

      // default config (host = localhost, port = 6379)
      storage: new ThrottlerStorageRedisService(),

      // connection url
      storage: new ThrottlerStorageRedisService('redis://'),

      // redis object
      storage: new ThrottlerStorageRedisService(new Redis()),

      // redis clusters
      storage: new ThrottlerStorageRedisService(new Redis.Cluster(nodes, options)),


      // connection url
      storage: new ThrottlerStorageMongoService('mongodb://'),

      // MongoDB connection string with connection options
      storage: new ThrottlerStorageMongoService('mongodb://',{
        useNewUrlParser: true,
        useUnifiedTopology: true,
        // Other connection options
        }
      ),

      //In-memory storage option
      storage: new ThrottlerStorageMemoryService(),

    }),
  ],
})
export class AppModule {}

You can customize the rate limits by specifying the timeUnit (e.g., 'second', 'minute', 'hour', 'day', 'week') and the corresponding limit. The package also supports multiple rate limits, allowing you to define different limits for various time units.

Additionally, NestJS Multi-Throttler provides support for different storage options, such as Redis, in-memory storage (default), and MongoDB.

ThrottlerModule

The ThrottleModule is the main entry point for this package, and can be used in a synchronous or asynchronous manner. All the needs to be passed is the ttl, the time to live in seconds for the request tracker, and the limit, or how many times an endpoint can be hit before returning a 429.

import { APP_GUARD } from '@nestjs/core';
import { ThrottlerGuard, ThrottlerModule } from 'nestjs-multi-throttler';

@Module({
  imports: [
    ThrottlerModule.forRoot([
      { timeUnit: 'minute', limit: 5 },
      { timeUnit: 'hour', limit: 50 },
      { timeUnit: 20, limit: 3 }, // 20 seconds
    ]),
  ],
  providers: [
    {
      provide: APP_GUARD,
      useClass: ThrottlerGuard,
    },
  ],
})
export class AppModule {}

The above would mean that 5 requests from the same IP can be made to a single endpoint in 1 minute, along with 50 requests for 1 hour and a custom timelimit of 20 seconds with 3 requests.

@Module({
  imports: [
    ThrottlerModule.forRootAsync({
      imports: [ConfigModule],
      inject: [ConfigService],
      useFactory: (config: ConfigService) => ({
        limits: config.get('THROTTLE_LIMIT'),
      }),
    }),
  ],
  providers: [
    {
      provide: APP_GUARD,
      useClass: ThrottlerGuard,
    },
  ],
})
export class AppModule {}

The above is also a valid configuration for asynchronous registration of the module.

NOTE: If you add the ThrottlerGuard to your AppModule as a global guard then all the incoming requests will be throttled by default. This can also be omitted in favor of @UseGuards(ThrottlerGuard). The global guard check can be skipped using the @SkipThrottle() decorator mentioned later.

Example with @UseGuards(ThrottlerGuard):

// app.module.ts
@Module({
  imports: [ThrottlerModule.forRoot([{ timeUnit: 'minute', limit: 20 }])],
})
export class AppModule {}

// app.controller.ts
@Controller()
export class AppController {
  @UseGuards(ThrottlerGuard)
  @Throttle([
    { timeUnit: 'minute', limit: 20 },
    { timeUnit: 'hour', limit: 100 },
    { timeUnit: 'second', limit: 1 },
  ])
  normal() {}
}

Decorators

@Throttle()

@Throttle([{ timeUnit: 'minute', limit: 20 }])

This decorator will set THROTTLER_LIMIT metadata on the route, for retrieval from the Reflector class. Can be applied to controllers and routes.

@SkipThrottle()

@SkipThrottle(skip = true)

This decorator can be used to skip a route or a class or to negate the skipping of a route in a class that is skipped.

@SkipThrottle()
@Controller()
export class AppController {
  @SkipThrottle(false)
  dontSkip() {}

  doSkip() {}
}

In the above controller, dontSkip would be counted against and rate-limited while doSkip would not be limited in any way.

Ignoring specific user agents

You can use the ignoreUserAgents key to ignore specific user agents.

@Module({
  imports: [
    ThrottlerModule.forRoot({
      [
        { timeUnit: 'minute', limit: 20 },
        { timeUnit: 'hour', limit: 100 },
        { timeUnit: 'day', limit: 200 },
      ]
      ignoreUserAgents: [
        // Don't throttle request that have 'googlebot' defined in them.
        // Example user agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
        /googlebot/gi,

        // Don't throttle request that have 'bingbot' defined in them.
        // Example user agent: Mozilla/5.0 (compatible; Bingbot/2.0; +http://www.bing.com/bingbot.htm)
        new RegExp('bingbot', 'gi'),
      ],
    }),
  ],
})
export class AppModule {}

ThrottlerStorage

Interface to define the methods to handle the details when it comes to keeping track of the requests.

Currently the key is seen as an MD5 hash of the IP, the ClassName, the MethodName and TimeUnit to ensure that no unsafe characters are used and to ensure that the package works for contexts that don't have explicit routes (like Websockets and GraphQL).

The interface looks like this:

export interface ThrottlerStorage {
  storage: Record<string, ThrottlerStorageRecord>;
  increment(key: string, ttl: number): Promise<ThrottlerStorageRecord>;
}

So long as the Storage service implements this interface, it should be usable by the ThrottlerGuard.

Proxies

If you are working behind a proxy, check the specific HTTP adapter options (express and fastify) for the trust proxy option and enable it. Doing so will allow you to get the original IP address from the X-Forward-For header, and you can override the getTracker() method to pull the value from the header rather than from req.ip. The following example works with both express and fastify:

// throttler-behind-proxy.guard.ts
import { ThrottlerGuard } from 'nestjs-multi-throttler';
import { Injectable } from '@nestjs/common';

@Injectable()
export class ThrottlerBehindProxyGuard extends ThrottlerGuard {
  protected getTracker(req: Record<string, any>): string {
    return req.ips.length ? req.ips[0] : req.ip; // individualize IP extraction to meet your own needs
  }
}

// app.controller.ts
import { ThrottlerBehindProxyGuard } from './throttler-behind-proxy.guard';
@UseGuards(ThrottlerBehindProxyGuard)

Working with Websockets

To work with Websockets you can extend the ThrottlerGuard and override the handleRequest method with something like the following method

@Injectable()
export class WsThrottlerGuard extends ThrottlerGuard {
  async handleRequest(context: ExecutionContext, limits: ThrottlerRateLimit[]): Promise<boolean> {
    const client = context.switchToWs().getClient();
    // this is a generic method to switch between `ws` and `socket.io`. You can choose what is appropriate for you
    const ip = ['conn', '_socket']
      .map((key) => client[key])
      .filter((obj) => obj)
      .shift().remoteAddress;
    for (const limit of limits) {
      const key = this.generateKey(context, tracker, limit.timeUnit);
      const { totalHits, timeToExpire } = await this.storageService.increment(
        key,
        this.getTTL(limit.timeUnit) * 1000,
      );

      // Throw an error when the user has reached their limit for the current rate limit
      if (totalHits > limit.limit) {
        throw new ThrottlerException();
      }
    }

    return true;
  }
}

There are some things to take keep in mind when working with websockets:

  • You cannot bind the guard with APP_GUARD or app.useGlobalGuards() due to how Nest binds global guards.
  • When a limit is reached, Nest will emit an exception event, so make sure there is a listener ready for this.

Working with GraphQL

To get the ThrottlerModule to work with the GraphQL context, a couple of things must happen.

  • You must use Express and apollo-server-express as your GraphQL server engine. This is the default for Nest, but the apollo-server-fastify package does not currently support passing res to the context, meaning headers cannot be properly set.
  • When configuring your GraphQLModule, you need to pass an option for context in the form of ({ req, res}) => ({ req, res }). This will allow access to the Express Request and Response objects, allowing for the reading and writing of headers.
  • You must add in some additional context switching to get the ExecutionContext to pass back values correctly (or you can override the method entirely)
@Injectable()
export class GqlThrottlerGuard extends ThrottlerGuard {
  getRequestResponse(context: ExecutionContext) {
    const gqlCtx = GqlExecutionContext.create(context);
    const ctx = gqlCtx.getContext();
    return { req: ctx.req, res: ctx.res }; // ctx.request and ctx.reply for fastify
  }
}

Storage Options

The storage property is used to define the storage option for the rate limiter. There are three options available: Option 1: Redis

@Module({
  imports: [
  ThrottlerModule.forRoot({
  limits: [{ timeUnit: 'minute', limit: 5 }],
  storage: new ThrottlerStorageRedisService(),
  }),
  ],
})

This option uses Redis as the storage for the rate limiter. It requires providing the valid Redis server URL (redis://localhost:6379 in this case).

Option 2: Memory (default)

@Module({
  imports: [
  ThrottlerModule.forRoot({
  limits: [{ timeUnit: 'minute', limit: 5 }],
  storage: new ThrottlerStorageMemoryService(),// -- default
    }),
  ],
})

This option uses in-memory storage for the rate limiter. It is the default option if no storage property is provided.

Option 3: MongoDB

@Module({
  imports: [
    ThrottlerModule.forRoot({
      limits: [{ timeUnit: 'minute', limit: 5 }],
      storage: new ThrottlerStorageMongoService('mongodb://localhost:27017'),
    }),
  ],
})

This option uses MongoDB as the storage for the rate limiter. It requires providing the valid MongoDB server URL (mongodb://localhost:27017 in this case).

Feel free to submit a PR with your custom storage options being added to this list.

License

Nest is MIT licensed.

Acknowledgments

This project was forked from the nestjs/throttler project.