feat: create rateLimit zone to rate limit depending on global, ip, sessionToken, userId

dblythy · dblythy · commit b217bb35dae1 · 2023-04-14T15:14:53.000+10:00
diff --git a/spec/RateLimit.spec.js b/spec/RateLimit.spec.js
@@ -335,6 +335,99 @@ describe('rate limit', () => {
     await Parse.Cloud.run('test2');
   });
 
+  describe('zone', () => {
+    const middlewares = require('../lib/middlewares');
+    it('can use global zone', async () => {
+      await reconfigureServer({
+        rateLimit: {
+          requestPath: '*',
+          requestTimeWindow: 10000,
+          requestCount: 1,
+          errorResponseMessage: 'Too many requests',
+          includeInternalRequests: true,
+          zone: 'global',
+        },
+      });
+      const fakeReq = {
+        originalUrl: 'http://example.com/parse/',
+        url: 'http://example.com/',
+        body: {
+          _ApplicationId: 'test',
+        },
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+        },
+        get: key => {
+          return fakeReq.headers[key];
+        },
+      };
+      fakeReq.ip = '127.0.0.1';
+      let fakeRes = jasmine.createSpyObj('fakeRes', ['end', 'status', 'setHeader', 'json']);
+      await new Promise(resolve => middlewares.handleParseHeaders(fakeReq, fakeRes, resolve));
+      fakeReq.ip = '127.0.0.2';
+      fakeRes = jasmine.createSpyObj('fakeRes', ['end', 'status', 'setHeader']);
+      let resolvingPromise;
+      const promise = new Promise(resolve => {
+        resolvingPromise = resolve;
+      });
+      fakeRes.json = jasmine.createSpy('json').and.callFake(resolvingPromise);
+      middlewares.handleParseHeaders(fakeReq, fakeRes, () => {
+        throw 'Should not call next';
+      });
+      await promise;
+      expect(fakeRes.status).toHaveBeenCalledWith(429);
+      expect(fakeRes.json).toHaveBeenCalledWith({
+        code: Parse.Error.CONNECTION_FAILED,
+        error: 'Too many requests',
+      });
+    });
+
+    it('can use session zone', async () => {
+      await reconfigureServer({
+        rateLimit: {
+          requestPath: '/functions/*',
+          requestTimeWindow: 10000,
+          requestCount: 1,
+          errorResponseMessage: 'Too many requests',
+          includeInternalRequests: true,
+          zone: 'session',
+        },
+      });
+      Parse.Cloud.define('test', () => 'Abc');
+      await Parse.User.signUp('username', 'password');
+      await Parse.Cloud.run('test');
+      await expectAsync(Parse.Cloud.run('test')).toBeRejectedWith(
+        new Parse.Error(Parse.Error.CONNECTION_FAILED, 'Too many requests')
+      );
+      await Parse.User.logIn('username', 'password');
+      await Parse.Cloud.run('test');
+    });
+
+    it('can use user zone', async () => {
+      await reconfigureServer({
+        rateLimit: {
+          requestPath: '/functions/*',
+          requestTimeWindow: 10000,
+          requestCount: 1,
+          errorResponseMessage: 'Too many requests',
+          includeInternalRequests: true,
+          zone: 'user',
+        },
+      });
+      Parse.Cloud.define('test', () => 'Abc');
+      await Parse.User.signUp('username', 'password');
+      await Parse.Cloud.run('test');
+      await expectAsync(Parse.Cloud.run('test')).toBeRejectedWith(
+        new Parse.Error(Parse.Error.CONNECTION_FAILED, 'Too many requests')
+      );
+      await Parse.User.logIn('username', 'password');
+      await expectAsync(Parse.Cloud.run('test')).toBeRejectedWith(
+        new Parse.Error(Parse.Error.CONNECTION_FAILED, 'Too many requests')
+      );
+    });
+  });
+
   it('can validate rateLimit', async () => {
     const Config = require('../lib/Config');
     const validateRateLimit = ({ rateLimit }) => Config.validateRateLimit(rateLimit);
@@ -350,6 +443,11 @@ describe('rate limit', () => {
     expect(() =>
       validateRateLimit({ rateLimit: [{ requestTimeWindow: [], requestPath: 'a' }] })
     ).toThrow('rateLimit.requestTimeWindow must be a number');
+    expect(() =>
+      validateRateLimit({
+        rateLimit: [{ requestPath: 'a', requestTimeWindow: 1000, requestCount: 3, zone: 'abc' }],
+      })
+    ).toThrow('rateLimit.zone must be one of global, session, user or ip');
     expect(() =>
       validateRateLimit({
         rateLimit: [
diff --git a/src/Config.js b/src/Config.js
@@ -599,6 +599,9 @@ export class Config {
       if (option.errorResponseMessage && typeof option.errorResponseMessage !== 'string') {
         throw `rateLimit.errorResponseMessage must be a string`;
       }
+      if (option.zone && !['global', 'session', 'user', 'ip'].includes(option.zone)) {
+        throw `rateLimit.zone must be one of global, session, user or ip`;
+      }
     }
   }
 
diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js
@@ -586,6 +586,11 @@ module.exports.RateLimitOptions = {
       'The window of time in milliseconds within which the number of requests set in `requestCount` can be made before the rate limit is applied.',
     action: parsers.numberParser('requestTimeWindow'),
   },
+  zone: {
+    env: 'PARSE_SERVER_RATE_LIMIT_ZONE',
+    help:
+      "The type of rate limit to apply. The following types are supported:- `global`: rate limit based on the number of requests made by all users- `ip`: rate limit based on the IP address of the request- `user`: rate limit based on the user ID of the request- `session`: rate limit based on the session token of the request:default: 'ip'",
+  },
 };
 module.exports.SecurityOptions = {
   checkGroups: {
diff --git a/src/Options/docs.js b/src/Options/docs.js
diff --git a/src/Options/index.js b/src/Options/index.js
@@ -323,6 +323,15 @@ export interface RateLimitOptions {
   /* Optional, the URL of the Redis server to store rate limit data. This allows to rate limit requests for multiple servers by calculating the sum of all requests across all servers. This is useful if multiple servers are processing requests behind a load balancer. For example, the limit of 10 requests is reached if each of 2 servers processed 5 requests.
    */
   redisUrl: ?string;
+  /*
+  The type of rate limit to apply. The following types are supported:
+  - `global`: rate limit based on the number of requests made by all users
+  - `ip`: rate limit based on the IP address of the request
+  - `user`: rate limit based on the user ID of the request
+  - `session`: rate limit based on the session token of the request
+  :default: 'ip'
+  */
+  zone: ?string;
 }
 
 export interface SecurityOptions {
diff --git a/src/middlewares.js b/src/middlewares.js
@@ -540,7 +540,22 @@ export const addRateLimit = (route, config, cloud) => {
         }
         return request.auth?.isMaster;
       },
-      keyGenerator: request => {
+      keyGenerator: async request => {
+        if (route.zone === 'global') {
+          return request.config.appId;
+        }
+        const token = request.info.sessionToken;
+        if (route.zone === 'session' && token) {
+          return token;
+        }
+        if (route.zone === 'user' && token) {
+          if (!request.auth) {
+            await new Promise(resolve => handleParseSession(request, null, resolve));
+          }
+          if (request.auth?.user?.id && request.zone === 'user') {
+            return request.auth.user.id;
+          }
+        }
         return request.config.ip;
       },
       store: redisStore.store,

Original file line number	Diff line number	Diff line change
`@@ -599,6 +599,9 @@ export class Config {`
`599`	`599`	`if (option.errorResponseMessage && typeof option.errorResponseMessage !== 'string') {`
`600`	`600`	throw `rateLimit.errorResponseMessage must be a string`;
`601`	`601`	`}`
	`602`	`+ if (option.zone && !['global', 'session', 'user', 'ip'].includes(option.zone)) {`
	`603`	+ throw `rateLimit.zone must be one of global, session, user or ip`;
	`604`	`+ }`
`602`	`605`	`}`
`603`	`606`	`}`
`604`	`607`