-
-
Notifications
You must be signed in to change notification settings - Fork 163
PostgreSQL
PostgreSQL >= 9.5
Note: Carefully test performance, if your application limits more than 500 requests per second.
It works with pg
, knex
and sequelize
.
It is recommended to use pool of connections.
By default, RateLimiterPostgres creates separate table by keyPrefix
for every limiter.
All limits are stored in one table if tableName
option is set.
Limits data, which expired more than an hour ago, are removed every 5 minutes by setTimeout
.
It is recommended to provide ready
callback as the second option of new RateLimiterMySQL(opts, ready)
to react on errors during creating table(s) for rate limiters. See example below.
ready
callback can be omitted, if process is terminated on unhandled errors.
See detailed options description here
const { Pool } = require('pg');
const client = new Pool({
host: '127.0.0.1',
port: 5432,
database: 'root',
user: 'root',
password: 'secret',
});
const opts = {
// Basic options
storeClient: client,
points: 5, // Number of points
duration: 1, // Per second(s)
// Custom
tableName: 'mytable', // if not provided, keyPrefix used as table name
keyPrefix: 'myprefix', // must be unique for limiters with different purpose
execEvenly: true, // Do not delay actions evenly
blockDuration: 10, // Block for 10 seconds if consumed more than `points`
inmemoryBlockOnConsumed: 20, // If 20 points consumed in current duration
inmemoryBlockDuration: 30, // block for 30 seconds in current process memory
insuranceLimiter: new RateLimiterMemory(
// It will be used only database error as insurance
// Can be any implemented limiter like RateLimiterMemory or RateLimiterRedis extended from RateLimiterAbstract
{
points: 1, // 1 is fair if you have 5 workers and 1 cluster
duration: 1,
}),
};
const ready = (err) => {
if (err) {
// log or/and process exit
} else {
// table checked/created
}
};
// if second parameter is not a function or not provided, it may throw unhandled error on creation a table
const rateLimiter = new RateLimiterPostgres(opts, ready);
rateLimiter.consume(userIdOrIp)
.then((rateLimiterRes) => {
// There were enough points to consume
// ... Some app logic here ...
})
.catch((rejRes) => {
if (rejRes instanceof Error) {
// Some Postgres error
// Never happen if `insuranceLimiter` set up
// Decide what to do with it in other case
} else {
// Can't consume
// If there is no error, rateLimiterRedis promise rejected with number of ms before next request allowed
// consumed and remaining points
const secs = Math.round(rejRes.msBeforeNext / 1000) || 1;
res.set('Retry-After', String(secs));
res.status(429).send('Too Many Requests');
}
});
It gets internal connection from Sequelize or Knex to make raw queries. Connection is released after any query or transaction, so workflow is clean.
const rateLimiter = new RateLimiterPostgres({
storeClient: sequelizeInstance,
}, ready);
const rateLimiter = new RateLimiterPostgres({
storeClient: knexInstance,
storeType: `knex`, // knex requires this option
}, ready);
See detailed options description here
Endpoint is pure NodeJS endpoint launched in node:10.5.0-jessie
and postgres:latest
Docker containers with 4 workers
User key is random number from 0 to 300.
Endpoint is limited by RateLimiterMySQL
with config:
new RateLimiterPostgres({
storeClient: pgClient,
points: 5, // Number of points
duration: 1, // Per second(s)
});
Statistics Avg Stdev Max
Reqs/sec 995.09 303.79 2010.29
Latency 7.48ms 5.30ms 51.60ms
Latency Distribution
50% 5.25ms
75% 8.07ms
90% 16.36ms
95% 21.85ms
99% 29.42ms
HTTP codes:
1xx - 0, 2xx - 8985, 3xx - 0, 4xx - 21024, 5xx - 0
Get started
Middlewares and plugins
Migration from other packages
Limiters:
- Redis
- Memory
- DynamoDB
- Prisma
- MongoDB (with sharding support)
- PostgreSQL
- MySQL
- BurstyRateLimiter
- Cluster
- PM2 Cluster
- Memcached
- RateLimiterUnion
- RateLimiterQueue
Wrappers:
- RLWrapperBlackAndWhite Black and White lists
Knowledge base:
- Block Strategy in memory
- Insurance Strategy
- Comparative benchmarks
- Smooth out traffic peaks
-
Usage example
- Minimal protection against password brute-force
- Login endpoint protection
- Websocket connection prevent flooding
- Dynamic block duration
- Different limits for authorized users
- Different limits for different parts of application
- Block Strategy in memory
- Insurance Strategy
- Third-party API, crawler, bot rate limiting