A progressive Node.js framework for building efficient and scalable server-side applications.
A Rate-Limiter for NestJS, regardless of the context.
For an overview of the community storage providers, see Community Storage Providers.
This package comes with a couple of goodies that should be mentioned, first is the ThrottlerModule
.
The ThrottleModule
is the main entry point for this package, and can be used
in a synchronous or asynchronous manner. All the needs to be passed is the
ttl
, the time to live in seconds for the request tracker, and the limit
, or
how many times an endpoint can be hit before returning a 429.
import { APP_GUARD } from '@nestjs/core';
import { ThrottlerGuard, ThrottlerModule } from '@nestjs/throttler';
@Module({
imports: [
ThrottlerModule.forRoot({
ttl: 60,
limit: 10,
}),
],
providers: [
{
provide: APP_GUARD,
useClass: ThrottlerGuard,
},
],
})
export class AppModule {}
The above would mean that 10 requests from the same IP can be made to a single endpoint in 1 minute.
@Module({
imports: [
ThrottlerModule.forRootAsync({
imports: [ConfigModule],
inject: [ConfigService],
useFactory: (config: ConfigService) => ({
ttl: config.get('THROTTLE_TTL'),
limit: config.get('THROTTLE_LIMIT'),
}),
}),
],
providers: [
{
provide: APP_GUARD,
useClass: ThrottlerGuard,
},
],
})
export class AppModule {}
The above is also a valid configuration for asynchronous registration of the module.
NOTE: If you add the ThrottlerGuard
to your AppModule
as a global guard
then all the incoming requests will be throttled by default. This can also be
omitted in favor of @UseGuards(ThrottlerGuard)
. The global guard check can be
skipped using the @SkipThrottle()
decorator mentioned later.
Example with @UseGuards(ThrottlerGuard)
:
// app.module.ts
@Module({
imports: [
ThrottlerModule.forRoot({
ttl: 60,
limit: 10,
}),
],
})
export class AppModule {}
// app.controller.ts
@Controller()
export class AppController {
@UseGuards(ThrottlerGuard)
@Throttle(5, 30)
normal() {}
}
@Throttle(limit: number = 30, ttl: number = 60)
This decorator will set THROTTLER_LIMIT and THROTTLER_TTL metadatas on the
route, for retrieval from the Reflector
class. Can be applied to controllers
and routes.
@SkipThrottle(skip = true)
This decorator can be used to skip a route or a class or to negate the skipping of a route in a class that is skipped.
@SkipThrottle()
@Controller()
export class AppController {
@SkipThrottle(false)
dontSkip() {}
doSkip() {}
}
In the above controller, dontSkip
would be counted against and rate-limited
while doSkip
would not be limited in any way.
You can use the ignoreUserAgents
key to ignore specific user agents.
@Module({
imports: [
ThrottlerModule.forRoot({
ttl: 60,
limit: 10,
ignoreUserAgents: [
// Don't throttle request that have 'googlebot' defined in them.
// Example user agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
/googlebot/gi,
// Don't throttle request that have 'bingbot' defined in them.
// Example user agent: Mozilla/5.0 (compatible; Bingbot/2.0; +http://www.bing.com/bingbot.htm)
new RegExp('bingbot', 'gi'),
],
}),
],
})
export class AppModule {}
Interface to define the methods to handle the details when it comes to keeping track of the requests.
Currently the key is seen as an MD5
hash of the IP
the ClassName
and the
MethodName
, to ensure that no unsafe characters are used and to ensure that
the package works for contexts that don't have explicit routes (like Websockets
and GraphQL).
The interface looks like this:
export interface ThrottlerStorage {
getRecord(key: string): Promise<number[]>;
addRecord(key: string, ttl: number): Promise<void>;
}
So long as the Storage service implements this interface, it should be usable by the ThrottlerGuard
.
If you are working behind a proxy, check the specific HTTP adapter options (express and fastify) for the trust proxy
option and enable it. Doing so will allow you to get the original IP address from the X-Forward-For
header, and you can override the getTracker()
method to pull the value from the header rather than from req.ip
To work with Websockets you can extend the ThrottlerGuard
and override the handleRequest
method with something like the following method
@Injectable()
export class WsThrottlerGuard extends ThrottlerGuard {
async handleRequest(context: ExecutionContext, limit: number, ttl: number): Promise<boolean> {
const client = context.switchToWs().getClient();
// this is a generic method to switch between `ws` and `socket.io`. You can choose what is appropriate for you
const ip = ['conn', '_socket']
.map((key) => client[key])
.filter((obj) => obj)
.shift().remoteAddress;
const key = this.generateKey(context, ip);
const ttls = await this.storageService.getRecord(key);
if (ttls.length >= limit) {
throw new ThrottlerException();
}
await this.storageService.addRecord(key, ttl);
return true;
}
}
There are some things to take keep in mind when working with websockets:
- You cannot bind the guard with
APP_GUARD
orapp.useGlobalGuards()
due to how Nest binds global guards. - When a limit is reached, Nest will emit an
exception
event, so make sure there is a listener ready for this.
To get the ThrottlerModule
to work with the GraphQL context, a couple of things must happen.
- You must use
Express
andapollo-server-express
as your GraphQL server engine. This is the default for Nest, but theapollo-server-fastify
package does not currently support passingres
to thecontext
, meaning headers cannot be properly set. - When configuring your
GraphQLModule
, you need to pass an option forcontext
in the form of({ req, res}) => ({ req, res })
. This will allow access to the Express Request and Response objects, allowing for the reading and writing of headers. - You must add in some additional context switching to get the
ExecutionContext
to pass back values correctly (or you can override the method entirely)
@Injectable()
export class GqlThrottlerGuard extends ThrottlerGuard {
getRequestResponse(context: ExecutionContext) {
const gqlCtx = GqlExecutionContext.create(context);
const ctx = gqlCtx.getContext();
return { req, ctx.req, res: ctx.res }; // ctx.request and ctx.reply for fastify
}
}
Feel free to submit a PR with your custom storage provider being added to this list.