You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
According to a warning visible when project starts, i suggest use solution proposed in itself.
In theory problem is that req.ip returns only ipv4 ip; if user connect with ipv6 address then rate limiter doesn't work and user can connect to API without limits. Key generated ipKeyGenerator from "express-rate-limit" should be safer.
In fact, in docs of the ipKeyGenerator it's written:
If you write a custom keyGenerator that allows a fallback to IP address for unauthenticated users, return ipKeyGenerator(req.ip) rather than just req.ip
Signature of ipKeyGenerator is: export declare function ipKeyGenerator(ip: string, ipv6Subnet?: number | false): string;
As you see, two arguments, only first required. Best solution will be if also ipv6Subnet is provided, at this very moment i don't have conditions to verify and test it.
Now i show how to fix it to eliminate warning and increase security of solution, however it still can be improved by providing ipv6subnet when possible.
Suggested changes:
File: src/common/middleware/rateLimiter.ts:2
Before import { rateLimit } from "express-rate-limit"; After: import { ipKeyGenerator, rateLimit } from "express-rate-limit";
File: src/common/middleware/rateLimiter.ts:12
Before: keyGenerator: (req: Request) => req.ip as string,
After keyGenerator: (req: Request) => ipKeyGenerator(req.ip as string),
src/common/middleware/rateLimiter.ts after changes:
import type { Request } from "express";
import { ipKeyGenerator, rateLimit } from "express-rate-limit";
import { env } from "@/common/utils/envConfig";
const rateLimiter = rateLimit({
legacyHeaders: true,
limit: env.COMMON_RATE_LIMIT_MAX_REQUESTS,
message: "Too many requests, please try again later.",
standardHeaders: true,
windowMs: 15 * 60 * env.COMMON_RATE_LIMIT_WINDOW_MS,
keyGenerator: (req: Request) => ipKeyGenerator(req.ip as string),
});
export default rateLimiter;
Summary
In my case i don't see warning in console anymore.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
According to a warning visible when project starts, i suggest use solution proposed in itself.
In theory problem is that req.ip returns only ipv4 ip; if user connect with ipv6 address then rate limiter doesn't work and user can connect to API without limits. Key generated ipKeyGenerator from "express-rate-limit" should be safer.
In fact, in docs of the ipKeyGenerator it's written:
If you write a custom keyGenerator that allows a fallback to IP address for unauthenticated users, return ipKeyGenerator(req.ip) rather than just req.ipSignature of ipKeyGenerator is:
export declare function ipKeyGenerator(ip: string, ipv6Subnet?: number | false): string;As you see, two arguments, only first required. Best solution will be if also ipv6Subnet is provided, at this very moment i don't have conditions to verify and test it.
Now i show how to fix it to eliminate warning and increase security of solution, however it still can be improved by providing ipv6subnet when possible.
Suggested changes:
File: src/common/middleware/rateLimiter.ts:2
Before
import { rateLimit } from "express-rate-limit";After:
import { ipKeyGenerator, rateLimit } from "express-rate-limit";File: src/common/middleware/rateLimiter.ts:12
Before:
keyGenerator: (req: Request) => req.ip as string,After
keyGenerator: (req: Request) => ipKeyGenerator(req.ip as string),src/common/middleware/rateLimiter.ts after changes:
Summary
In my case i don't see warning in console anymore.
Beta Was this translation helpful? Give feedback.
All reactions