search

Baroshem / nuxt-security

🛡 Automatically configure your app to follow OWASP security patterns and principles by using HTTP Headers and Middleware
https://nuxt-security.vercel.app/
MIT License
743 stars 56 forks source link

Can't make another rateLimiter driver work (Vercel KV) #372

Closed MickL closed 4 months ago

MickL commented 4 months ago

I cant make another driver (vercel kv) work and the Docs dont explain how to do it. Am I supposed to put just the name string or the driver itself?

I tried:

import vercelKVDriver from 'unstorage/drivers/vercel-kv';

//...
security: {
    rateLimiter: {
      tokensPerInterval: 3,
      interval: 300000,
      driver: vercelKVDriver({
        // Tried with and without:
        // url: process.env.KV_REST_API_URL,
        // token: process.env.KV_REST_API_TOKEN,}),
    },
}

And it actually works: If I refresh the page 4 times I am banned. But if I check the Vercel KV (Redis) it shows zero entries: KEYS *.

Baroshem commented 4 months ago

Hey,

In order to implement it correctly, you would need to define a driver like following:

rateLimiter: {
  driver: {
    name: 'vercel-kv';
    options: { options };
  };
}

It is explained in the docs here https://nuxt-security.vercel.app/documentation/middleware/rate-limiter#options

Do you think that it is not clear? I can try to rewrite it if it is confusing :)

MickL commented 4 months ago
  1. I tried your example but it gives me a type error:
Bildschirmfoto 2024-02-10 um 22 35 47 Bildschirmfoto 2024-02-10 um 22 35 51
  1. The thing with the docs is that they dont say if driver needs to be just a string name or a Unstorage driver object but at the same time linking to Unstorage which always creates a driver object:
const storage = createStorage({
  driver: vercelKVDriver({
});
  1. Further, if it only requires a name, how do I know what name is the one I am looking for example is it cloudflare-kv or cloud-flare-kv or cloudFlareKv or cloudFlareKV? Your example with 'vercel-kv' didnt work but 'vercelKV' did. How to know what names are available?
Baroshem commented 4 months ago
  1. tokensPerInterval is necessary for the rate limiting to work (same as interval). If you dont want to change the defaut values, you can always set them as the same as in the default config -> https://nuxt-security.vercel.app/documentation/middleware/rate-limiter#tokensperinterval 2/3. Yes you are correct, I made a typo. It should be vercelKv. The configuration requires a pascal case name of the driver you want to use. It is then used in https://github.com/Baroshem/nuxt-security/blob/main/src/module.ts line 267 to mount the driver and it needs the pascal case name. That is why the defsult one is lruCache not lru-cache.

If you use vercelKv does the rate limiting work coreectly? I looked at the unstorage docs and the vercelKv is experimental.

MickL commented 4 months ago

Yes it works fine and I close this issue. Thanks for the quick responses! The docs need to be updated tho :)

Baroshem commented 4 months ago

Ok, so let me reopen this issue so that we can link the documentation fix to it :)

I will add documentation about using custom driver in the upcoming days

Baroshem commented 4 months ago

Managed to do it faster 😃

Added in https://github.com/Baroshem/nuxt-security/commit/4327422f973e7d340ed20aba51a5123838a1e286

Closing