search

ysocorp / koa2-ratelimit

Rate-limiting middleware for Koa2 ES6. Use to limit repeated requests to APIs and/or endpoints such as password reset.
MIT License
120 stars 37 forks source link

What is going if we will have a lot amount of users covered a common IP address? #19

Closed fmaxx closed 5 years ago

fmaxx commented 5 years ago

As I understood all of them will be banned... right? Thank you.

julienwilmet commented 5 years ago

From this section of the README.md:

If your user is logged in and you configured a user in your koa context, even if they have the same ip they will be managed separately:

getUserId: Function used to get userId (if connected) to be added as key and saved in bdd, should an abuse case surface. Defaults:

async function (ctx) {
    const whereFinds = [ctx.state.user, ctx.user, ctx.state.User, 
      ctx.User, ctx.state, ctx];
    const toFinds = ['id', 'userId', 'user_id', 'idUser', 'id_user'];
    for (const whereFind of whereFinds) {
      if (whereFind) {
        for (const toFind of toFinds) {
          if (whereFind[toFind]) {
              return whereFind[toFind];
          }
        }
      }
    }
    return null;
},

This comes from the keyGenerator: keyGenerator: Function used to generate keys. By default userID (if connected) or the user's IP address. Defaults:

async function (ctx) {
    const userId = await this.options.getUserId(ctx);
    if (userId) {
        return `${this.options.prefixKey}|${userId}`;
    }
    return `${this.options.prefixKey}|${ctx.request.ip}`;
}