-1

I have the following problem. I have two apps deployed on DigitalOcean, API (using Nodejs and express) and CLIENT (create-react-app). I want to add an api call rate limiter. I've tried using express-rate-limiter but, if I undertand correctly, it blocks the request taking the CLIENT app IP, so when it reaches the max api calls allowed, express-rate-limiter blocks all the requests. Here my rate limiter middleware

import rateLimit from "express-rate-limit";

const apiCallRateLimiter = rateLimit({
  windowMs: 60 * 60 * 1000,
  max: 1,
  message: "You have reached maximum retries. Please try again later",
  statusCode: 429,
  headers: true,
});

app.use(apiCallRateLimiter);
app.use("/", router);

I've tried this express-rate-limit blocking requests from all users, but it didn't work. The middlewares look like this

import rateLimit from "express-rate-limit";
import { mw } from "request-ip";

const apiCallRateLimiter = rateLimit({
  windowMs: 60 * 60 * 1000,
  max: 1,
  message: "You have reached maximum retries. Please try again later",
  statusCode: 429,
  headers: true,
  keyGenerator: (req, res) => req.clientIp
});

app.use(mw());
app.use(apiCallRateLimiter);
app.use("/", router);

How can I limit the api calls taking the user IP and not my CLIENT app IP? Thanks in advance

Fernando
  • 15
  • 6
  • #1 Is your client a web csr (react, angular, vue) or ssr? #2 Is the web using a loadbalancer like nginx ? #3 Do you want to protect the web or the api ? – JRichardsz Mar 13 '23 at 23:34

1 Answers1

0

I've just changed the arrow function at keyGenerator to an anonymous function and now it's working

const apiCallRateLimiter = rateLimit({
  windowMs: 60 * 60 * 1000,
  max: 1,
  message: "You have reached maximum retries. Please try again later",
  statusCode: 429,
  headers: true,
  keyGenerator(req) {
    return req.clientIp;
  },
});
Fernando
  • 15
  • 6