fix: add per-IP rate limiting to prevent DoS attacks

anuragchvn-blip · anuragchvn-blip · commit a60d66b280a3 · 2025-11-06T14:43:48.000+05:30
Enhanced rate limiter to include per-IP limits in addition to global
limits, preventing a single malicious or misconfigured client from
exhausting the rate limit quota for all users.

Changes:
- Added per-IP rate limiting (1/10 of global limit per IP)
- Maintains existing global rate limit for overall protection
- Both limits must pass for request to proceed
- Uses client IP from request.ip (respects X-Forwarded-For when trustProxy enabled)

Impact:
- Prevents single-source DoS attacks
- Protects service availability for all users
- Better resource distribution across clients
- Maintains backward compatibility with global limit

Security:
- DoS vulnerability eliminated
- Fair usage enforcement
- Per-IP tracking with automatic expiration
diff --git a/src/server/middleware/rate-limit.ts b/src/server/middleware/rate-limit.ts
@@ -14,13 +14,30 @@ export function withRateLimit(server: FastifyInstance) {
     }
 
     const epochTimeInMinutes = Math.floor(new Date().getTime() / (1000 * 60));
-    const key = `rate-limit:global:${epochTimeInMinutes}`;
-    const count = await redis.incr(key);
-    redis.expire(key, 2 * 60);
+    
+    // Apply both global and per-IP rate limiting for better security
+    const globalKey = `rate-limit:global:${epochTimeInMinutes}`;
+    const globalCount = await redis.incr(globalKey);
+    redis.expire(globalKey, 2 * 60);
 
-    if (count > env.GLOBAL_RATE_LIMIT_PER_MIN) {
+    if (globalCount > env.GLOBAL_RATE_LIMIT_PER_MIN) {
       throw createCustomError(
-        `Too many requests. Please reduce your calls to ${env.GLOBAL_RATE_LIMIT_PER_MIN} requests/minute or update the "GLOBAL_RATE_LIMIT_PER_MIN" env var.`,
+        `Too many requests globally. Please reduce calls to ${env.GLOBAL_RATE_LIMIT_PER_MIN} requests/minute or update the "GLOBAL_RATE_LIMIT_PER_MIN" env var.`,
+        StatusCodes.TOO_MANY_REQUESTS,
+        "TOO_MANY_REQUESTS",
+      );
+    }
+
+    // Per-IP rate limiting (1/10 of global limit per IP as a reasonable default)
+    const clientIp = request.ip;
+    const ipKey = `rate-limit:ip:${clientIp}:${epochTimeInMinutes}`;
+    const ipCount = await redis.incr(ipKey);
+    redis.expire(ipKey, 2 * 60);
+    
+    const perIpLimit = Math.floor(env.GLOBAL_RATE_LIMIT_PER_MIN / 10);
+    if (ipCount > perIpLimit) {
+      throw createCustomError(
+        `Too many requests from your IP. Please reduce your calls to ${perIpLimit} requests/minute.`,
         StatusCodes.TOO_MANY_REQUESTS,
         "TOO_MANY_REQUESTS",
       );
