Merge pull request #6 from agbilotia1998/master

Adds throttling and corresponding tests

Author: michalmikolajczyk

.env.sample

@@ -3,5 +3,5 @@ BACK_END_URL="http://localhost:3000"
 PORT="4000"
 EXPIRE_IN_SECONDS=15
 REQUEST_LIMIT=99
-# LIMIT_BY_IP=0
+LIMIT_BY_IP=0
 REDIS_URL="redis://host.docker.internal:6379"

package-lock.json

@@ -27,9 +27,12 @@
     "express": "^4.16.2",
     "express-http-proxy": "^1.5.0",
     "express-limiter": "^1.6.1",
+    "express-rate-limit": "^3.3.2",
+    "express-slow-down": "^1.3.1",
     "helmet": "^3.12.0",
     "nodemon": "^1.18.9",
     "prom-client": "^11.2.0",
+    "rate-limit-redis": "^1.6.0",
     "redis": "^2.8.0",
     "response-time": "^2.3.2"
   },

package.json

@@ -6,6 +6,12 @@ const http = require('http');
 const proxy = require('express-http-proxy');
 const redis = require('redis');
 const Prometheus = require('./prometheus');
+const RateLimit = require('express-rate-limit');
+const RedisStore = require('rate-limit-redis');
+const slowDown = require('express-slow-down');
+
+const redisServer = process.env.REDIS_URL || '';
+const client = redis.createClient(redisServer);
 
 app.use(helmet({
   hsts: false,
@@ -30,21 +36,50 @@ app.use((req, res, next) => {
   next();
 });
 
-const redisServer = process.env.REDIS_URL || '';
-const client = redis.createClient(redisServer);
-const limiter = require('express-limiter')(app, client);
-
 const expireInSeconds = process.env.EXPIRE_IN_SECONDS || 15;
 const requestLimit = process.env.REQUEST_LIMIT || 99;
-const limitByIP = process.env.LIMIT_BY_IP ? 'connection.remoteAddress' : 'hostname';
-limiter({
-  path: '*',
-  method: 'all',
-  lookup: limitByIP,
-  total: requestLimit,
-  expire: 1000 * expireInSeconds,
+const delayTimeInSeconds = process.env.DELAY_IN_SECONDS || 0.5;
+const limitByIP = process.env.LIMIT_BY_IP || 1;
+
+const redisKeyGenerator = function keyGenerator(req) {
+  if (parseInt(limitByIP, 10) === 1) {
+    return req.ip;
+  }
+
+  return 'ALL_IPS';
+};
+
+const speedLimiter = slowDown({
+  keyGenerator: redisKeyGenerator,
+  store: new RedisStore({
+    client,
+    // setting prefix to avoid collision between delaying and rate limiting requests
+    prefix: 'sd: ',
+    expiry: expireInSeconds,
+  }),
+  windowMs: 1000 * expireInSeconds,
+  // allow specified requests per window time
+  delayAfter: requestLimit,
+  // begin adding specified delay time per request above maximum limit:
+  delayMs: 1000 * delayTimeInSeconds,
 });
 
+const rateLimiter = new RateLimit({
+  keyGenerator: redisKeyGenerator,
+  store: new RedisStore({
+    client,
+    // setting prefix to avoid collision between delaying and rate limiting requests
+    prefix: 'rl: ',
+    expiry: expireInSeconds,
+  }),
+  // setting window size in ms(eg: 2000)
+  windowMs: 1000 * expireInSeconds,
+  // limit each IP to specified requests per windowMs (e.g: 1)
+  max: requestLimit,
+});
+
+app.use(speedLimiter);
+app.use(rateLimiter);
 const target = process.env.BACK_END_URL || 'http://localhost:3000';
 const port = 4000 || process.env.PORT;
 app.use('/', proxy(target)).listen(port, () => {
@@ -62,3 +97,4 @@ if (!process.env.BACK_END_URL) {
     res.end();
   }).listen(3000);
 }
+

src/server.js

@@ -1,14 +1,41 @@
 const chai = require('chai');
 const chaiHttp = require('chai-http');
-require('../../src/server');
-
 const { expect } = chai;
 chai.use(chaiHttp);
 const remoteServer = 'http://127.0.0.1';
 const port = process.env.PORT || 4000;
+process.env.DELAY_IN_SECONDS = 1.6;
+process.env.EXPIRE_IN_SECONDS = 3;
+process.env.REQUEST_LIMIT = 1;
+process.env.BACK_END_URL = '';
+require('../../src/server');
 
 describe('reli-proxy', function module1() {
   this.timeout(10000);
+  /*
+  * Test the throttling
+  */
+  describe('/Testing the throttling of requests', () => {
+    it('it should rate limit second request', (done) => {
+      setTimeout(() => {
+        let requester = chai.request(`${remoteServer}:${port}`).keepOpen();
+        Promise.all([
+          requester.get('/test'),
+          requester.get('/test'),
+          requester.get('/test')
+        ]).then(responses => {
+          expect(responses[0].status).to.eql(200);
+          expect(responses[0].text).to.include('Response from back-end!');
+          // Rate limit exceeds but request is queued, since the window size is 3 seconds the request still fails
+          expect(responses[1].status).to.eql(429);
+          // Rate limit exceeds but request is queued, since the window size is 3 seconds and delay induced is 1.6*2 = 3.2 seconds the request is completed successfully
+          expect(responses[2].status).to.eql(200); expect(responses[0].text).to.include('Response from back-end!');
+          done();
+        }).then(requester.close());
+      }, 50);
+    });
+  });
+
   /*
   * Test the proxy
   */
@@ -22,7 +49,7 @@ describe('reli-proxy', function module1() {
             expect(res.text).to.include('Response from back-end!');
             done();
           });
-      }, 50);
+      }, 3000);
     });
   });