Rate limit (#7)

jean-michelet · web-flow · commit 66c2aa51b0c8 · 2024-07-31T10:03:51.000+02:00
* fix: reset soft to origin/main

* docs: add RATE_LIMIT_MAX to .env.example
diff --git a/.env.example b/.env.example
@@ -15,3 +15,4 @@ LOG_LEVEL=info
 
 # Security
 JWT_SECRET=
+RATE_LIMIT_MAX=
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -67,4 +67,5 @@ jobs:
           MYSQL_USER: test_user
           MYSQL_PASSWORD: test_password
           # JWT_SECRET is dynamically generated and loaded from the environment
+          RATE_LIMIT_MAX: 4
         run: npm run db:migrate && npm run test
diff --git a/package.json b/package.json
@@ -29,6 +29,7 @@
     "@fastify/helmet": "^11.1.1",
     "@fastify/jwt": "^8.0.1",
     "@fastify/mysql": "^4.3.0",
+    "@fastify/rate-limit": "^9.1.0",
     "@fastify/sensible": "^5.0.0",
     "@fastify/swagger": "^8.14.0",
     "@fastify/swagger-ui": "^3.0.0",
diff --git a/src/app.ts b/src/app.ts
@@ -12,7 +12,7 @@ export default async function serviceApp(
 ) {
   // This loads all external plugins defined in plugins/external
   // those should be registered first as your custom plugins might depend on them
-  fastify.register(fastifyAutoload, {
+  await fastify.register(fastifyAutoload, {
     dir: path.join(import.meta.dirname, "plugins/external"),
     options: { ...opts }
   });
@@ -58,7 +58,16 @@ export default async function serviceApp(
     return { message };
   });
 
-  fastify.setNotFoundHandler((request, reply) => {
+  // An attacker could search for valid URLs if your 404 error handling is not rate limited.
+  fastify.setNotFoundHandler(
+      {
+        preHandler: fastify.rateLimit({
+          max: 3,
+          timeWindow: 500
+        })
+    }, 
+    (request, reply) => {
+
     request.log.warn(
       {
         request: {
diff --git a/src/plugins/custom/repository.ts b/src/plugins/custom/repository.ts
@@ -47,7 +47,7 @@ function createRepository(fastify: FastifyInstance) {
       return rows[0] as T;
     },
 
-    findMany: async <T>(table: string, opts: QueryOptions): Promise<T[]> => {
+    findMany: async <T>(table: string, opts: QueryOptions = {}): Promise<T[]> => {
       const { select = '*', where = {1:1} } = opts;
       const [clause, values] = processAssignmentRecord(where, 'AND');
 
diff --git a/src/plugins/external/1-env.ts b/src/plugins/external/1-env.ts
@@ -10,6 +10,7 @@ declare module "fastify" {
       MYSQL_PASSWORD: string;
       MYSQL_DATABASE: string;
       JWT_SECRET: string;
+      RATE_LIMIT_MAX: number;
     };
   }
 }
@@ -47,6 +48,10 @@ const schema = {
     // Security
     JWT_SECRET: {
       type: "string"
+    },
+    RATE_LIMIT_MAX: {
+      type: "number",
+      default: 100
     }
   }
 };
diff --git a/src/plugins/external/rate-limit.ts b/src/plugins/external/rate-limit.ts
@@ -0,0 +1,16 @@
+import fastifyRateLimit from "@fastify/rate-limit";
+import { FastifyInstance } from "fastify";
+
+export const autoConfig = (fastify: FastifyInstance) => {
+    return {
+        max: fastify.config.RATE_LIMIT_MAX,
+        timeWindow: "1 minute"
+    }
+}
+
+/**
+ * This plugins is low overhead rate limiter for your routes.
+ *
+ * @see {@link https://github.com/fastify/fastify-helmet}
+ */
+export default fastifyRateLimit
diff --git a/test/app/not-found-handler.test.ts b/test/app/not-found-handler.test.ts
@@ -13,3 +13,23 @@ it("should call notFoundHandler", async (t) => {
   assert.strictEqual(res.statusCode, 404);
   assert.deepStrictEqual(JSON.parse(res.payload), { message: "Not Found" });
 });
+
+it("should be rate limited", async (t) => {
+  const app = await build(t);
+
+  for (let i = 0; i < 3; i++) {
+    const res = await app.inject({
+      method: "GET",
+      url: "/this-route-does-not-exist"
+    });
+  
+    assert.strictEqual(res.statusCode, 404);
+  }
+
+  const res = await app.inject({
+    method: "GET",
+    url: "/this-route-does-not-exist"
+  });
+
+  assert.strictEqual(res.statusCode, 429);
+});
diff --git a/test/app/rate-limit.test.ts b/test/app/rate-limit.test.ts
@@ -0,0 +1,23 @@
+import { it } from "node:test";
+import { build } from "../helper.js";
+import assert from "node:assert";
+
+it("should be rate limited", async (t) => {
+    const app = await build(t);
+  
+    for (let i = 0; i < 4; i++) {
+      const res = await app.inject({
+        method: "GET",
+        url: "/"
+      });
+
+    assert.strictEqual(res.statusCode, 200);
+    }
+  
+    const res = await app.inject({
+      method: "GET",
+      url: "/"
+    });
+  
+    assert.strictEqual(res.statusCode, 429);
+});
diff --git a/test/routes/home.test.ts b/test/routes/home.test.ts
@@ -4,7 +4,6 @@ import { build } from "../helper.js";
 
 test("GET /", async (t) => {
   const app = await build(t);
-
   const res = await app.inject({
     url: "/"
   });

Original file line number	Diff line number	Diff line change
`@@ -15,3 +15,4 @@ LOG_LEVEL=info`
`15`	`15`
`16`	`16`	`# Security`
`17`	`17`	`JWT_SECRET=`
	`18`	`+RATE_LIMIT_MAX=`
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ declare module "fastify" {`
`10`	`10`	`MYSQL_PASSWORD: string;`
`11`	`11`	`MYSQL_DATABASE: string;`
`12`	`12`	`JWT_SECRET: string;`
	`13`	`+ RATE_LIMIT_MAX: number;`
`13`	`14`	`};`
`14`	`15`	`}`
`15`	`16`	`}`
`@@ -47,6 +48,10 @@ const schema = {`
`47`	`48`	`// Security`
`48`	`49`	`JWT_SECRET: {`
`49`	`50`	`type: "string"`
	`51`	`+ },`
	`52`	`+ RATE_LIMIT_MAX: {`
	`53`	`+ type: "number",`
	`54`	`+ default: 100`
`50`	`55`	`}`
`51`	`56`	`}`
`52`	`57`	`};`