Add tests for the rate limit middleware and add custom JWT rate limits

Author: ericallam

apps/webapp/app/env.server.ts

@@ -31,7 +31,7 @@ const EnvironmentSchema = z.object({
   REMIX_APP_PORT: z.string().optional(),
   LOGIN_ORIGIN: z.string().default("http://localhost:3030"),
   APP_ORIGIN: z.string().default("http://localhost:3030"),
-  ELECTRIC_ORIGIN: z.string(),
+  ELECTRIC_ORIGIN: z.string().default("http://localhost:3060"),
   APP_ENV: z.string().default(process.env.NODE_ENV),
   SERVICE_NAME: z.string().default("trigger.dev webapp"),
   SECRET_STORE: SecretStoreOptionsSchema.default("DATABASE"),
@@ -105,6 +105,9 @@ const EnvironmentSchema = z.object({
   API_RATE_LIMIT_REJECTION_LOGS_ENABLED: z.string().default("1"),
   API_RATE_LIMIT_LIMITER_LOGS_ENABLED: z.string().default("0"),
 
+  API_RATE_LIMIT_JWT_WINDOW: z.string().default("1m"),
+  API_RATE_LIMIT_JWT_TOKENS: z.coerce.number().int().default(60),
+
   //Realtime rate limiting
   /**
    * @example "60s"

apps/webapp/app/services/apiAuth.server.ts

@@ -103,15 +103,18 @@ export async function authenticateApiKey(
 
 export async function authenticateAuthorizationHeader(
   authorization: string,
-  { allowPublicKey = false }: { allowPublicKey?: boolean } = {}
+  {
+    allowPublicKey = false,
+    allowJWT = false,
+  }: { allowPublicKey?: boolean; allowJWT?: boolean } = {}
 ): Promise<ApiAuthenticationResult | undefined> {
   const apiKey = getApiKeyFromHeader(authorization);
 
   if (!apiKey) {
     return;
   }
 
-  return authenticateApiKey(apiKey, { allowPublicKey });
+  return authenticateApiKey(apiKey, { allowPublicKey, allowJWT });
 }
 
 export function isPublicApiKey(key: string) {

apps/webapp/app/services/apiRateLimit.server.ts

@@ -1,303 +1,7 @@
-import { createCache, DefaultStatefulContext, Namespace, Cache as UnkeyCache } from "@unkey/cache";
-import { MemoryStore } from "@unkey/cache/stores";
-import { Ratelimit } from "@upstash/ratelimit";
-import { Request as ExpressRequest, Response as ExpressResponse, NextFunction } from "express";
-import { RedisOptions } from "ioredis";
-import { createHash } from "node:crypto";
-import { z } from "zod";
 import { env } from "~/env.server";
 import { authenticateAuthorizationHeader } from "./apiAuth.server";
-import { logger } from "./logger.server";
-import { createRedisRateLimitClient, Duration, RateLimiter } from "./rateLimiter.server";
-import { RedisCacheStore } from "./unkey/redisCacheStore.server";
-
-const DurationSchema = z.custom<Duration>((value) => {
-  if (typeof value !== "string") {
-    throw new Error("Duration must be a string");
-  }
-
-  return value as Duration;
-});
-
-export const RateLimitFixedWindowConfig = z.object({
-  type: z.literal("fixedWindow"),
-  window: DurationSchema,
-  tokens: z.number(),
-});
-
-export type RateLimitFixedWindowConfig = z.infer<typeof RateLimitFixedWindowConfig>;
-
-export const RateLimitSlidingWindowConfig = z.object({
-  type: z.literal("slidingWindow"),
-  window: DurationSchema,
-  tokens: z.number(),
-});
-
-export type RateLimitSlidingWindowConfig = z.infer<typeof RateLimitSlidingWindowConfig>;
-
-export const RateLimitTokenBucketConfig = z.object({
-  type: z.literal("tokenBucket"),
-  refillRate: z.number(),
-  interval: DurationSchema,
-  maxTokens: z.number(),
-});
-
-export type RateLimitTokenBucketConfig = z.infer<typeof RateLimitTokenBucketConfig>;
-
-export const RateLimiterConfig = z.discriminatedUnion("type", [
-  RateLimitFixedWindowConfig,
-  RateLimitSlidingWindowConfig,
-  RateLimitTokenBucketConfig,
-]);
-
-export type RateLimiterConfig = z.infer<typeof RateLimiterConfig>;
-
-type LimitConfigOverrideFunction = (authorizationValue: string) => Promise<unknown>;
-
-type Options = {
-  redis?: RedisOptions;
-  keyPrefix: string;
-  pathMatchers: (RegExp | string)[];
-  pathWhiteList?: (RegExp | string)[];
-  defaultLimiter: RateLimiterConfig;
-  limiterConfigOverride?: LimitConfigOverrideFunction;
-  limiterCache?: {
-    fresh: number;
-    stale: number;
-  };
-  log?: {
-    requests?: boolean;
-    rejections?: boolean;
-    limiter?: boolean;
-  };
-};
-
-async function resolveLimitConfig(
-  authorizationValue: string,
-  hashedAuthorizationValue: string,
-  defaultLimiter: RateLimiterConfig,
-  cache: UnkeyCache<{ limiter: RateLimiterConfig }>,
-  logsEnabled: boolean,
-  limiterConfigOverride?: LimitConfigOverrideFunction
-): Promise<RateLimiterConfig> {
-  if (!limiterConfigOverride) {
-    return defaultLimiter;
-  }
-
-  if (logsEnabled) {
-    logger.info("RateLimiter: checking for override", {
-      authorizationValue: hashedAuthorizationValue,
-      defaultLimiter,
-    });
-  }
-
-  const cacheResult = await cache.limiter.swr(hashedAuthorizationValue, async (key) => {
-    const override = await limiterConfigOverride(authorizationValue);
-
-    if (!override) {
-      if (logsEnabled) {
-        logger.info("RateLimiter: no override found", {
-          authorizationValue,
-          defaultLimiter,
-        });
-      }
-
-      return defaultLimiter;
-    }
-
-    const parsedOverride = RateLimiterConfig.safeParse(override);
-
-    if (!parsedOverride.success) {
-      logger.error("Error parsing rate limiter override", {
-        override,
-        errors: parsedOverride.error.errors,
-      });
-
-      return defaultLimiter;
-    }
-
-    if (logsEnabled && parsedOverride.data) {
-      logger.info("RateLimiter: override found", {
-        authorizationValue,
-        defaultLimiter,
-        override: parsedOverride.data,
-      });
-    }
-
-    return parsedOverride.data;
-  });
-
-  return cacheResult.val ?? defaultLimiter;
-}
-
-//returns an Express middleware that rate limits using the Bearer token in the Authorization header
-export function authorizationRateLimitMiddleware({
-  redis,
-  keyPrefix,
-  defaultLimiter,
-  pathMatchers,
-  pathWhiteList = [],
-  log = {
-    rejections: true,
-    requests: true,
-  },
-  limiterCache,
-  limiterConfigOverride,
-}: Options) {
-  const ctx = new DefaultStatefulContext();
-  const memory = new MemoryStore({ persistentMap: new Map() });
-  const redisCacheStore = new RedisCacheStore({
-    connection: {
-      keyPrefix: `cache:${keyPrefix}:rate-limit-cache:`,
-      ...redis,
-    },
-  });
-
-  // This cache holds the rate limit configuration for each org, so we don't have to fetch it every request
-  const cache = createCache({
-    limiter: new Namespace<RateLimiterConfig>(ctx, {
-      stores: [memory, redisCacheStore],
-      fresh: limiterCache?.fresh ?? 30_000,
-      stale: limiterCache?.stale ?? 60_000,
-    }),
-  });
-
-  const redisClient = createRedisRateLimitClient(
-    redis ?? {
-      port: env.REDIS_PORT,
-      host: env.REDIS_HOST,
-      username: env.REDIS_USERNAME,
-      password: env.REDIS_PASSWORD,
-      enableAutoPipelining: true,
-      ...(env.REDIS_TLS_DISABLED === "true" ? {} : { tls: {} }),
-    }
-  );
-
-  return async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
-    if (log.requests) {
-      logger.info(`RateLimiter (${keyPrefix}): request to ${req.path}`);
-    }
-
-    // allow OPTIONS requests
-    if (req.method.toUpperCase() === "OPTIONS") {
-      return next();
-    }
-
-    //first check if any of the pathMatchers match the request path
-    const path = req.path;
-    if (
-      !pathMatchers.some((matcher) =>
-        matcher instanceof RegExp ? matcher.test(path) : path === matcher
-      )
-    ) {
-      if (log.requests) {
-        logger.info(`RateLimiter (${keyPrefix}): didn't match ${req.path}`);
-      }
-      return next();
-    }
-
-    // Check if the path matches any of the whitelisted paths
-    if (
-      pathWhiteList.some((matcher) =>
-        matcher instanceof RegExp ? matcher.test(path) : path === matcher
-      )
-    ) {
-      if (log.requests) {
-        logger.info(`RateLimiter (${keyPrefix}): whitelisted ${req.path}`);
-      }
-      return next();
-    }
-
-    if (log.requests) {
-      logger.info(`RateLimiter (${keyPrefix}): matched ${req.path}`);
-    }
-
-    const authorizationValue = req.headers.authorization;
-    if (!authorizationValue) {
-      if (log.requests) {
-        logger.info(`RateLimiter (${keyPrefix}): no key`, { headers: req.headers, url: req.url });
-      }
-      res.setHeader("Content-Type", "application/problem+json");
-      return res.status(401).send(
-        JSON.stringify(
-          {
-            title: "Unauthorized",
-            status: 401,
-            type: "https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401",
-            detail: "No authorization header provided",
-            error: "No authorization header provided",
-          },
-          null,
-          2
-        )
-      );
-    }
-
-    const hash = createHash("sha256");
-    hash.update(authorizationValue);
-    const hashedAuthorizationValue = hash.digest("hex");
-
-    const limiterConfig = await resolveLimitConfig(
-      authorizationValue,
-      hashedAuthorizationValue,
-      defaultLimiter,
-      cache,
-      typeof log.limiter === "boolean" ? log.limiter : false,
-      limiterConfigOverride
-    );
-
-    const limiter =
-      limiterConfig.type === "fixedWindow"
-        ? Ratelimit.fixedWindow(limiterConfig.tokens, limiterConfig.window)
-        : limiterConfig.type === "tokenBucket"
-        ? Ratelimit.tokenBucket(
-            limiterConfig.refillRate,
-            limiterConfig.interval,
-            limiterConfig.maxTokens
-          )
-        : Ratelimit.slidingWindow(limiterConfig.tokens, limiterConfig.window);
-
-    const rateLimiter = new RateLimiter({
-      redisClient,
-      keyPrefix,
-      limiter,
-      logSuccess: log.requests,
-      logFailure: log.rejections,
-    });
-
-    const { success, limit, reset, remaining } = await rateLimiter.limit(hashedAuthorizationValue);
-
-    const $remaining = Math.max(0, remaining); // remaining can be negative if the user has exceeded the limit, so clamp it to 0
-
-    res.set("x-ratelimit-limit", limit.toString());
-    res.set("x-ratelimit-remaining", $remaining.toString());
-    res.set("x-ratelimit-reset", reset.toString());
-
-    if (success) {
-      return next();
-    }
-
-    res.setHeader("Content-Type", "application/problem+json");
-    const secondsUntilReset = Math.max(0, (reset - new Date().getTime()) / 1000);
-    return res.status(429).send(
-      JSON.stringify(
-        {
-          title: "Rate Limit Exceeded",
-          status: 429,
-          type: "https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/429",
-          detail: `Rate limit exceeded ${$remaining}/${limit} requests remaining. Retry in ${secondsUntilReset} seconds.`,
-          reset,
-          limit,
-          remaining,
-          secondsUntilReset,
-          error: `Rate limit exceeded ${$remaining}/${limit} requests remaining. Retry in ${secondsUntilReset} seconds.`,
-        },
-        null,
-        2
-      )
-    );
-  };
-}
+import { authorizationRateLimitMiddleware } from "./authorizationRateLimitMiddleware.server";
+import { Duration } from "./rateLimiter.server";
 
 export const apiRateLimiter = authorizationRateLimitMiddleware({
   keyPrefix: "api",
@@ -312,16 +16,24 @@ export const apiRateLimiter = authorizationRateLimitMiddleware({
     stale: 60_000 * 20, // Date is stale after 20 minutes
   },
   limiterConfigOverride: async (authorizationValue) => {
-    // TODO: we need to add an option to "allowJWT" auth and then handle this differently
     const authenticatedEnv = await authenticateAuthorizationHeader(authorizationValue, {
       allowPublicKey: true,
+      allowJWT: true,
     });
 
     if (!authenticatedEnv) {
       return;
     }
 
-    return authenticatedEnv.environment.organization.apiRateLimiterConfig;
+    if (authenticatedEnv.type === "PUBLIC_JWT") {
+      return {
+        type: "fixedWindow",
+        window: env.API_RATE_LIMIT_JWT_WINDOW,
+        tokens: env.API_RATE_LIMIT_JWT_TOKENS,
+      };
+    } else {
+      return authenticatedEnv.environment.organization.apiRateLimiterConfig;
+    }
   },
   pathMatchers: [/^\/api/],
   // Allow /api/v1/tasks/:id/callback/:secret