Merge pull request #999 from kriswest/997-rate-limiter-config

feat: rate limiter config

Author: JamieSlome

config.schema.json

@@ -24,6 +24,30 @@
       "description": "Provide domains to use alternative to the defaults",
       "type": "object"
     },
+    "rateLimit": {
+      "description": "API Rate limiting configuration.",
+      "type": "object",
+      "properties": {
+        "windowMs": { 
+          "type": "number",
+          "description": "How long to remember requests for, in milliseconds (default 10 mins)."
+        },
+        "limit": {
+          "type": "number",
+          "description": "How many requests to allow (default 150)."
+        },
+        "statusCode": {
+          "type": "number",
+          "description": "HTTP status code after limit is reached (default is 429)."
+        },
+        "message": {
+          "type": "string",
+          "description": "Response to return after limit is reached."
+        }
+      },
+      "required": ["windowMs", "limit"],
+      "additionalProperties": false
+    },
     "privateOrganizations": {
       "description": "Pattern searches for listed private organizations are disabled",
       "type": "array"

proxy.config.json

@@ -2,6 +2,10 @@
   "proxyUrl": "https://github.com",
   "cookieSecret": "cookie secret",
   "sessionMaxAgeHours": 12,
+  "rateLimit": {
+    "windowMs": 60000,
+    "limit": 150
+  },
   "tempPassword": {
     "sendEmail": false,
     "emailConfig": {}

src/config/index.ts

@@ -6,6 +6,7 @@ import {
   Authentication,
   AuthorisedRepo,
   Database,
+  RateLimitConfig,
   TempPasswordConfig,
   UserSettings,
 } from './types';
@@ -30,6 +31,8 @@ let _urlShortener: string = defaultSettings.urlShortener;
 let _contactEmail: string = defaultSettings.contactEmail;
 let _csrfProtection: boolean = defaultSettings.csrfProtection;
 let _domains: Record<string, unknown> = defaultSettings.domains;
+let _rateLimit: RateLimitConfig = defaultSettings.rateLimit;
+
 // These are not always present in the default config file, so casting is required
 let _tlsEnabled = defaultSettings.tls.enabled;
 let _tlsKeyPemPath = defaultSettings.tls.key;
@@ -99,6 +102,7 @@ export const logConfiguration = () => {
   console.log(`authorisedList = ${JSON.stringify(getAuthorisedList())}`);
   console.log(`data sink = ${JSON.stringify(getDatabase())}`);
   console.log(`authentication = ${JSON.stringify(getAuthentication())}`);
+  console.log(`rateLimit = ${JSON.stringify(getRateLimit())}`);
 };
 
 export const getAPIs = () => {
@@ -217,3 +221,10 @@ export const getDomains = () => {
   }
   return _domains;
 };
+
+export const getRateLimit = () => {
+  if (_userSettings && _userSettings.rateLimit) {
+    _rateLimit = _userSettings.rateLimit;
+  }
+  return _rateLimit;
+};

src/config/types.ts

@@ -1,3 +1,5 @@
+import { Options as RateLimitOptions } from 'express-rate-limit';
+
 export interface UserSettings {
   authorisedList: AuthorisedRepo[];
   sink: Database[];
@@ -18,6 +20,7 @@ export interface UserSettings {
   contactEmail: string;
   csrfProtection: boolean;
   domains: Record<string, unknown>;
+  rateLimit: RateLimitConfig;
 }
 
 export interface TLSConfig {
@@ -50,3 +53,7 @@ export interface TempPasswordConfig {
   sendEmail: boolean;
   emailConfig: Record<string, unknown>;
 }
+
+export type RateLimitConfig = Partial<
+  Pick<RateLimitOptions, 'windowMs' | 'limit' | 'message' | 'statusCode'>
+>;

src/service/index.js

@@ -9,10 +9,7 @@ const db = require('../db');
 const rateLimit = require('express-rate-limit');
 const lusca = require('lusca');
 
-const limiter = rateLimit({
-  windowMs: 15 * 60 * 1000, // 15 minutes
-  max: 100, // limit each IP to 100 requests per windowMs
-});
+const limiter = rateLimit(config.getRateLimit());
 
 const { GIT_PROXY_UI_PORT: uiPort } = require('../config/env').serverConfig;
 

test/testConfig.test.js

@@ -16,6 +16,7 @@ describe('default configuration', function () {
     expect(config.getDatabase()).to.be.eql(defaultSettings.sink[0]);
     expect(config.getTempPasswordConfig()).to.be.eql(defaultSettings.tempPassword);
     expect(config.getAuthorisedList()).to.be.eql(defaultSettings.authorisedList);
+    expect(config.getRateLimit()).to.be.eql(defaultSettings.rateLimit);
     expect(config.getTLSKeyPemPath()).to.be.eql(defaultSettings.tls.key);
     expect(config.getTLSCertPemPath()).to.be.eql(defaultSettings.tls.cert);
   });
@@ -107,6 +108,21 @@ describe('user configuration', function () {
     expect(config.getTLSCertPemPath()).to.be.eql(user.tls.cert);
   });
 
+  it('should override default settings for rate limiting', function () {
+    const limitConfig = {
+      rateLimit: {
+        windowMs: 60000,
+        limit: 1500,
+      },
+    };
+    fs.writeFileSync(tempUserFile, JSON.stringify(limitConfig));
+
+    const config = require('../src/config');
+
+    expect(config.getRateLimit().windowMs).to.be.eql(limitConfig.rateLimit.windowMs);
+    expect(config.getRateLimit().limit).to.be.eql(limitConfig.rateLimit.limit);
+  });
+
   afterEach(function () {
     fs.rmSync(tempUserFile);
     fs.rmdirSync(tempDir);