Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use redis for express rate limiting #2075

Open
halfwhole opened this issue Nov 11, 2022 · 0 comments
Open

Use redis for express rate limiting #2075

halfwhole opened this issue Nov 11, 2022 · 0 comments

Comments

@halfwhole
Copy link
Collaborator

halfwhole commented Nov 11, 2022

Describe the bug

Currently, Go uses the library express-rate-limit to rate limit OTP generations. By default, this library uses an in-memory store to keep track of the number of hits per IP. But using an in-memory store is problematic because this store is not shared across processes or servers, so each server keeps track of their own hits separately. If a load balancer distributes a client's requests across multiple servers, then the client can in practice hit the endpoint at a rate several times above the specified limit.

To Reproduce

I tried making POST requests to go.gov.sg/api/login/otp 12 times in a row, and they all succeeded. But by right it should fail after the 5th request (as it does on staging), because the current specified rate limit is 5 per minute. This happens because we currently have multiple servers for production, but only a single server for staging.

Solution

Switch the store to redis. This is also recommended by the authors of express-rate-limit.

Documentation on store for express-rate-limit here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant