Node.js Rate Limiter

A flexible and robust rate limiting middleware for Node.js applications with support for both in-memory and Redis-based storage. This rate limiter can be used in both single-server and distributed environments.

Features

• 🚀 Simple and easy to use
• 💾 Multiple storage options (in-memory and Redis)
• 🔄 Configurable time windows and request limits
• 🎯 Multiple identifier strategies (IP, auth token, cookie)
• 🔌 Pluggable custom identifier extraction
• 🎨 Clean middleware interface
• 🔒 Thread-safe and distributed-safe (when using Redis)
• ⚡ Lightweight with minimal dependencies

Installation

1npm install @sid3945/rate-limiter

Quick Start

1import express from 'express';
2import RateLimiter from '@yourusername/rate-limiter';
3
4const app = express();
5
6const rateLimiter = new RateLimiter({
7  window: 3000,  // 3 seconds from the first request from this source
8  maxHits: 3     // 3 requests per window 
9});
10
11app.use(rateLimiter.guard());
12
13app.get('/_healthz', (req, res) => {
14  res.json({ message: 'Status Ok!' });
15});
16
17app.listen(3000);

Configuration Options

Basic Configuration

1const rateLimiter = new RateLimiter({
2  window: 3000,       // Time window in milliseconds
3  maxHits: 3,         // Maximum number of requests per window
4  identifier: 'ip',   // Identifier strategy ('ip', 'authToken', 'cookie')
5  storage: 'memory'   // Storage strategy ('in-memory' or 'redis')
6});

Redis Configuration

1const rateLimiter = new RateLimiter({
2  window: 3000,
3  maxHits: 3,
4  storage: 'redis',
5  redisConfig: {
6    host: 'localhost',
7    port: 6379,
8    password: 'your-password', db: 0 // Redis database number
9  }
10});

Custom Identifier

1const rateLimiter = new RateLimiter({
2  window: 3000,
3  maxHits: 3,
4  customIdentifierExtractor: (req) => {
5    return req.headers['x-custom-id'] || req.ip;
6  }
7});

Storage Strategies

In-Memory Storage

• Best for single-server deployments
• No additional dependencies
• Fast performance
• Data is lost on server restart

Redis Storage

• Best for distributed environments
• Requires Redis server
• Consistent rate limiting across multiple servers
• Persists across server restarts
• Automatic cleanup of expired records

Response Format

When rate limit is exceeded, the middleware returns:

1{
2  error: "Too many requests",
3  retryAfter: 3
4}

With HTTP status code 429 (Too Many Requests).

Example Use Cases

Basic API Rate Limiting

1const apiLimiter = new RateLimiter({
2  window: 60000,    // 1 minute
3  maxHits: 60       // 60 requests per minute
4});
5
6app.use('/api/', apiLimiter.guard());

Different Limits for Authentication

1const publicLimiter = new RateLimiter({
2  window: 60000,
3  maxHits: 30
4});
5
6const authenticatedLimiter = new RateLimiter({
7  window: 60000,
8  maxHits: 100,
9  identifier: 'authToken'
10});
11
12app.use('/api/public', publicLimiter.guard());
13
14app.use('/api/private', authenticatedLimiter.guard());

Performance Considerations

• In-memory storage has minimal impact on request latency
• Redis storage adds network latency but enables distributed rate limiting
• Redis keys automatically expire after the window period
• Careful consideration needed for high-traffic applications

Error Handling

The middleware includes built-in error handling:

• Redis connection failures fallback to allowing requests
• Invalid configurations throw errors during initialization
• All errors are logged for debugging

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

MIT

Author

Siddharth Upadhyay

Changelog

1.0.0

• Initial release
• Support for in-memory and Redis storage
• Basic rate limiting functionality

1.0.2

• Updated documentation (and reduced GEN AI footprint 😁)

Todo

• Add support for sliding windows
• Add support for multiple concurrent windows
• Add support for rate limit headers
• Add support for custom response formats