Past week I’ve been fixing issues with the simply auth project now on heroku! https://simplyauth.herokuapp.com/
I will add a rate limiting feature to limit login attempts to 3 and call it a day with this project. Rate limiting helps with brute force attacks so that a request from the same I.P address cannot have an unlimited amount of login attempts.
It also makes an ‘app’ more legit since you limit requests as a security precaution for genuine users.
In this project the idea is to rate limit login POST requests from a specific I.P address to 5 attempts per 15 minutes. So I used express-rate-limit package.
This package is a rate-limiting middleware found at: https://www.npmjs.com/package/express-rate-limit
I was too bogged down building other features of the API so I wanted to keep this simple and effective:
Console code:
// in the console npm install --save express-rate-limit
const RateLimit = require('express-rate-limit');
/*rate limiter
5 login requests per 15 minutes
limit each IP to 5 requests per windowMs
*/
var limiter = new RateLimit({
windowMs: 15 * 60 * 1000,
max: 5,
message: "Too many login attempts from this IP, please try again after sometime"
});
/*rate limiter
5 registration requests per 15 minutes
limit each IP to 5 requests per windowMs
*/
var createAccountLimiter = new RateLimit({
windowMs: 15 * 60 * 1000,
max: 5,
message: "Too many registration attempts from this IP, please try again after sometime"
});
// apply rate limiter to all requests //app.use(limiter); //rate limiting for login route app.use('/users/login',limiter); //rate limiting for post route app.use('/users/register',createAccountLimiter);
- To use with proxies (example if your app is deployed on Heroku) in app.js use:
app.enable(‘trust-proxy’);
NOTE: According to a stackoverflow post you can also apply a per-account rate limit. For instance, 100 requests per minute per user.
