Rate Limiting Examples for Node.js API

Understanding Rate Limiting in Node.js

Rate limiting is a technique used to control the amount of incoming requests to an API over a specified time period. This is essential in preventing abuse, ensuring fair usage, and maintaining the performance of the server. In this article, we will explore three practical examples of rate limiting in a Node.js API.

Example 1: Basic Rate Limiting Using Express Middleware

Context

In this example, we will implement a basic rate limiting middleware using the Express framework. This is useful for APIs that need to restrict the number of requests from a single IP address within a certain timeframe.

const express = require('express');
const rateLimit = require('express-rate-limit');

const app = express();

// Set up a rate limit of 100 requests per 15 minutes
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // limit each IP to 100 requests per windowMs
  message: 'Too many requests from this IP, please try again later.'
});

// Apply the rate limiting middleware to all requests
app.use(limiter);

app.get('/api/data', (req, res) => {
  res.send('Here is your data!');
});

const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
  console.log(`Server running on port ${PORT}`);
});

Notes

• This example uses the express-rate-limit package for straightforward implementation.
• You can adjust the max and windowMs settings based on your API’s requirements.

Example 2: Dynamic Rate Limiting Based on User Role

Context

This example demonstrates how to implement dynamic rate limiting based on the user’s role (e.g., admin vs. regular user). This can be useful for APIs that have different levels of access.

const express = require('express');
const rateLimit = require('express-rate-limit');

const app = express();

// Define a function to determine rate limits based on user role
const getRateLimit = (role) => {
  if (role === 'admin') {
    return rateLimit({
      windowMs: 60 * 1000, // 1 minute
      max: 200 // limit admin users to 200 requests per minute
    });
  }
  return rateLimit({
    windowMs: 60 * 1000, // 1 minute
    max: 50 // limit regular users to 50 requests per minute
  });
};

app.use((req, res, next) => {
  // Simulate user role extraction from a token or session
  const userRole = req.headers['x-user-role'] || 'user';
  getRateLimit(userRole)(req, res, next);
});

app.get('/api/resource', (req, res) => {
  res.send('Access granted to resource!');
});

const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
  console.log(`Server running on port ${PORT}`);
});

Notes

• This approach allows for flexible rate limiting based on user roles, making it suitable for applications with varied user types.
• Ensure that the user role is securely verified to prevent abuse.

Example 3: IP Address Whitelisting for Rate Limiting

Context

In this example, we will implement a rate limiter that allows certain IP addresses to bypass the rate limits. This can be useful for trusted clients or internal services that need unrestricted access.

const express = require('express');
const rateLimit = require('express-rate-limit');
const app = express();

// List of whitelisted IPs
const whitelist = ['192.168.1.1', '192.168.1.2'];

// Create a custom rate limiter
const customLimiter = rateLimit({
  windowMs: 10 * 60 * 1000, // 10 minutes
  max: 100,
  message: 'Too many requests, please try again later.',
  skip: (req) => whitelist.includes(req.ip)
});

app.use(customLimiter);

app.get('/api/status', (req, res) => {
  res.send('API is running!');
});

const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
  console.log(`Server running on port ${PORT}`);
});

Notes

• The skip function checks if the request comes from a whitelisted IP, bypassing the rate limit if it does.
• Be cautious with whitelisting, as it can introduce security risks if not managed properly.