API rate limit middleware integration

Author: giuseppealbrizio

package-lock.json

@@ -72,6 +72,7 @@
     "dotenv": "^16.0.3",
     "express": "^4.18.2",
     "express-mongo-sanitize": "^2.2.0",
+    "express-rate-limit": "^6.7.0",
     "express-session": "^1.17.3",
     "firebase-admin": "^11.5.0",
     "helmet": "^6.0.1",

package.json

@@ -1,5 +1,9 @@
 import express from 'express';
 import passport from '../../../config/passport.config';
+import {
+  recoverPasswordApiLimiter,
+  resetPasswordApiLimiter,
+} from '../../../middlewares/apiRateLimit.middleware';
 import catchAsyncHandler from '../../../middlewares/catchAsyncHandler.middleware';
 import {requireAuthenticationMiddleware} from '../../../middlewares/requireAuthentication.middleware';
 
@@ -18,8 +22,16 @@ const authRouter = express.Router();
 authRouter.post('/signup', catchAsyncHandler(signup));
 authRouter.post('/login', catchAsyncHandler(login));
 authRouter.post('/logout', catchAsyncHandler(logout));
-authRouter.post('/recover-password', catchAsyncHandler(recoverPassword));
-authRouter.post('/reset-password', catchAsyncHandler(resetPassword));
+authRouter.post(
+  '/recover-password',
+  recoverPasswordApiLimiter,
+  catchAsyncHandler(recoverPassword)
+);
+authRouter.post(
+  '/reset-password',
+  resetPasswordApiLimiter,
+  catchAsyncHandler(resetPassword)
+);
 authRouter.get(
   '/me',
   requireAuthenticationMiddleware,

src/api/v1/auth/auth.route.ts

@@ -1,10 +1,17 @@
 import express, {Response} from 'express';
 import _ from 'lodash';
 import {ICustomExpressRequest} from '../../middlewares/currentUser.middleware';
+
 import appRouter from './app/app.route';
+import authRouter from './auth/auth.route';
+
 import swaggerRouter from './swagger/swagger.route';
 import typedocRouter from './typedoc/typedoc.route';
-import authRouter from './auth/auth.route';
+
+import {
+  apiV1RateLimiter,
+  devlopmentApiLimiter,
+} from '../../middlewares/apiRateLimit.middleware';
 
 const apiV1Router = express.Router();
 
@@ -38,11 +45,13 @@ const devRoutes = [
 ];
 
 _.forEach(defaultRoutes, route => {
+  apiV1Router.use(apiV1RateLimiter);
   apiV1Router.use(route.path, route.route);
 });
 
 if (process.env.NODE_ENV === 'development') {
   _.forEach(devRoutes, route => {
+    apiV1Router.use(devlopmentApiLimiter);
     apiV1Router.use(route.path, route.route);
   });
 }

src/api/v1/index.route.ts

@@ -0,0 +1,79 @@
+import {Response} from 'express';
+import rateLimit from 'express-rate-limit';
+import {ICustomExpressRequest} from './currentUser.middleware';
+
+/**
+ * Rate limiter for api v1
+ * @see https://www.npmjs.com/package/express-rate-limit
+ * @description 1000 requests per 1 minute for production
+ */
+const apiV1RateLimiter = rateLimit({
+  windowMs: 1 * 60 * 1000, // 1 minute
+  max: 200, // Limit each IP to 200 requests per `window` (here, per 1 minute)
+  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+  message: async (req: ICustomExpressRequest, res: Response) => {
+    return res.status(429).json({
+      status: 'error',
+      message: 'You have exceeded the 100 requests in 1 minute limit!',
+    });
+  },
+});
+
+/**
+ * Rate limiter for development route as typedoc and swagger
+ * @description 1000 requests per 1 hour for development
+ */
+const devlopmentApiLimiter = rateLimit({
+  windowMs: 60 * 60 * 1000, // 59 minute
+  max: 1000, // Limit each IP to 1000 requests per `window` (here, per 1 hour)
+  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+  message: async (req: ICustomExpressRequest, res: Response) => {
+    return res.status(429).json({
+      status: 'error',
+      message: 'Too many requests, please try again in 10 minutes.',
+    });
+  },
+});
+
+/**
+ * Rate limiter for recover password
+ */
+const recoverPasswordApiLimiter = rateLimit({
+  windowMs: 1 * 60 * 1000, // 5 minute
+  max: 1, // Limit each IP to 1020 requests per `window` (here, per 1 minute)
+  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+  message: async (req: ICustomExpressRequest, res: Response) => {
+    return res.status(429).json({
+      status: 'error',
+      message:
+        'Too many requests to recover password, please try again in 1 minute.',
+    });
+  },
+});
+
+/**
+ * Rate limiter for reset password
+ */
+const resetPasswordApiLimiter = rateLimit({
+  windowMs: 1 * 60 * 1000, // 1 minute
+  max: 10, // Limit each IP to 10 requests per `window` (here, per 1 minute)
+  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+  message: async (req: ICustomExpressRequest, res: Response) => {
+    return res.status(429).json({
+      status: 'error',
+      message:
+        'Too many requests to reset password, please try again in 1 minute.',
+    });
+  },
+});
+
+export {
+  apiV1RateLimiter,
+  devlopmentApiLimiter,
+  recoverPasswordApiLimiter,
+  resetPasswordApiLimiter,
+};