--add: rate limiting

app.js

@@ -15,6 +15,7 @@ const {
 } = require("./config/index");
 const { notFound, sendErrors } = require("./config/errorHandler");
 const { logRequestMiddleware } = require("./middlewares/log");
+const { globalRateLimiter } = require("./config/rateLimit");
 
 const app = express();
 
@@ -32,7 +33,9 @@ module.exports = () => {
 
 	app.use(compression());
 	app.use(helmet());
+	app.set("trust proxy", 1);
 	app.use(cors({ exposedHeaders: "x-auth-token", origin: ALLOWED_ORIGINS }));
+	app.use(globalRateLimiter);
 	app.use(express.static(path.join(__dirname, "public")));
 	app.use(
 		bodyParser.urlencoded({

config/rateLimit.js

@@ -0,0 +1,23 @@
+const rateLimit = require("express-rate-limit");
+
+module.exports.globalRateLimiter = rateLimit({
+	windowMs: 1 * 60 * 1000, // 1 minutes
+	max: 100, // limit each IP to 100 requests per windowMs
+	message: { message: "Too many requests.", error: true, data: null }
+});
+
+module.exports.addTodoRateLimiter = rateLimit({
+	windowMs: 1 * 60 * 1000, // 1 minutes
+	max: 20, // limit each IP to 20 requests per windowMs
+	message: { message: "Temporarily blocked", error: true, data: null }
+});
+
+module.exports.loginRateLimiter = rateLimit({
+	windowMs: 1 * 60 * 60 * 1000, // 1 hours
+	max: 5, // limit each IP to 5 requests per windowMs
+	message: {
+		message: "Too many attempts! Try again in few hours",
+		error: true,
+		data: null
+	}
+});

package.json

@@ -61,6 +61,7 @@
 		"dotenv": "^8.1.0",
 		"ejs": "^3.0.1",
 		"express": "^4.17.1",
+		"express-rate-limit": "^5.2.6",
 		"helmet": "^3.21.3",
 		"jsonwebtoken": "^8.5.1",
 		"kue": "^0.11.6",

routes/api/v1/todos.js

@@ -10,9 +10,15 @@ const {
 } = require("../../../controllers/todos_controller");
 const { catchErrors } = require("../../../config/errorHandler");
 const { allAuth } = require("../../../middlewares/auth");
+const { addTodoRateLimiter } = require("../../../config/rateLimit");
 
 router.get("/", catchErrors(allAuth), catchErrors(getTodos));
-router.post("/", catchErrors(allAuth), catchErrors(addTodo));
+router.post(
+	"/",
+	addTodoRateLimiter,
+	catchErrors(allAuth),
+	catchErrors(addTodo)
+);
 router.put("/:tid", catchErrors(allAuth), catchErrors(updateTodo));
 router.delete("/all", catchErrors(allAuth), catchErrors(deleteAllTodos));
 router.delete("/:tid", catchErrors(allAuth), catchErrors(deleteTodo));

routes/api/v1/users.js

@@ -36,6 +36,7 @@ const {
 	csvFileFilter
 } = require("../../../middlewares/imageValidations");
 const { getArrayFromCsv } = require("../../../middlewares/convertToJson");
+const { loginRateLimiter } = require("../../../config/rateLimit");
 
 // routes
 router.get("/", catchErrors(allAuth), catchErrors(users));
@@ -62,20 +63,27 @@ router.put(
 	catchErrors(userUpdate)
 );
 router.delete("/:uid", catchErrors(coreAuth), catchErrors(deleteUser));
-router.post("/login", catchErrors(login));
+router.post("/login", loginRateLimiter, catchErrors(login));
 router.get("/profile", catchErrors(allAuth), catchErrors(profile));
 router.post(
 	"/profile",
+	loginRateLimiter,
 	catchErrors(allAuth),
 	multer.any(),
 	profileUpdateValidation,
 	fileFilter,
 	catchErrors(updateProfile)
 );
-router.post("/forgot-pwd", emailValidation, catchErrors(forgotPassword));
-router.post("/reset-pwd", catchErrors(resetPassword));
+router.post(
+	"/forgot-pwd",
+	loginRateLimiter,
+	emailValidation,
+	catchErrors(forgotPassword)
+);
+router.post("/reset-pwd", loginRateLimiter, catchErrors(resetPassword));
 router.post(
 	"/change-pwd",
+	loginRateLimiter,
 	catchErrors(allAuth),
 	catchErrors(changePasswordValidation),
 	catchErrors(changePassword)