update rate-limit

ndcc/server/index.js

@@ -599,7 +599,7 @@ module.exports = async (app) =>{
                 }
             },
             {
-                plugin:require('./plugins/rateLimit.js'),    //upload
+                plugin:require('./plugins/rateLimit/index.js'),    //upload
                 options:{}
             },
             {

ndcc/server/lib/index.js

@@ -136,8 +136,12 @@ exports.plugin  = {
       path: '/test',
       options:{
         plugins:{
-          'hapi-rate-limit': {
-              enabled: false
+          'rate-limit': {
+            "userPathLimit":1,                                   
+            "userPathCache":{
+                "segment":"ZhIWjVHdVLruss7eFn",  
+                "expiresIn":1000  
+            }
           }
         }
       },
@@ -226,7 +230,7 @@ exports.plugin  = {
     server.route({
       method: 'GET',
       path: '/_next/{p*}',
-      options:{plugins: {'hapi-rate-limit': {enabled: false } }},
+      options:{plugins: {'rate-limit': {enabled: false } }},
       handler: async ({raw},h)=>{
         await handler(raw.req,raw.res);
         if (raw.res.headersSent) { return h.close;}
@@ -238,7 +242,7 @@ exports.plugin  = {
     server.route({
       method: 'GET',
       path: '/pwa/{p*}',
-      options:{plugins: {'hapi-rate-limit': { enabled: false}}},
+      options:{plugins: {'rate-limit': { enabled: false}}},
       handler: async ({ url}, h) => {
         try {
           let pathname = url.pathname;
@@ -257,7 +261,7 @@ exports.plugin  = {
     server.route({
       method: 'GET',
       path: '/sw.js',
-      options:{plugins: {'hapi-rate-limit': { enabled: false}}},
+      options:{plugins: {'rate-limit': { enabled: false}}},
       handler: async ({ url}, h) => {
         try {
           let pathname = url.pathname;
@@ -615,10 +619,10 @@ exports.plugin  = {
         auth: 'auth',
         plugins: {
           //限制用户每5s只能上传一次
-          "hapi-rate-limit": {
+          "rate-limit": {
               "userPathLimit":Number(uploadRequestsPerSecond.split('/')[0]),                                
               "userPathCache":{
-                  "segment":`hapi-rate-limit-user-upload-${server.info.port}`,    
+                  "segment":`rate-limit-user-upload-${server.info.port}`,    
                   "expiresIn":Number(uploadRequestsPerSecond.split('/')[1])                      
               }
           } 

ndcc/server/plugins/{rateLimit.js → rateLimit/index.js}

@@ -1,6 +1,6 @@
 
 'use strict';
-const {Error} = require('../lib/think');
+const {Error} = require('../../lib/think');
 exports.plugin  = {
     pkg: {
         "name": "rateLimit",
@@ -9,8 +9,7 @@ exports.plugin  = {
     register: async function (server, options) {
         const {requestsPerSecond} = server.settings.app.systemConfig.Config
 
-        //使用的hapi-rate-limit插件，再次封装而已 参考 https://www.npmjs.com/package/hapi-rate-limit
-        const pkgName = "hapi-rate-limit"
+        //使用的hapi-rate-limit插件，再次封装而已,pak name吸修改为rate-limit 参考 https://www.npmjs.com/package/rate-limit
         await server.ext('onPreAuth', function (request, h) {
             // if(request.route.path === "/api/{action*}"){
             //     // console.log(requestsPerSecond,'============')
@@ -19,10 +18,10 @@ exports.plugin  = {
             //无需单独写，后台路由配置直接覆盖即可，参考
             // "options":{
             //     "plugins": {
-            //         "hapi-rate-limit": {
+            //         "rate-limit": {
             //             "userPathLimit":1,                                
             //             "userPathCache":{
-            //                 "segment":"ZhIWjVHdVLru7eFn",    //填写路由id就行了
+            //                 "segment":"ZhIWjVHdVLru7eFn",     //填写路由id就行了
             //                 "expiresIn":1000                          //过期时间
             //             }
             //         } 
@@ -34,7 +33,7 @@ exports.plugin  = {
         });
 
         await server.register({
-            plugin:require('hapi-rate-limit'),
+            plugin:require('./lib/index'),
             options: {
               enabled:true,    
               trustProxy:true,
@@ -42,7 +41,7 @@ exports.plugin  = {
               userPathLimit:false,       //每个用户每个时间段在给定路径上可以发出的请求总数
               userLimit:Number(requestsPerSecond.split('/')[0]),       //用户每个时间段可以发出的总请求数
               userCache:{
-                segment:`hapi-rate-limit-user-${server.info.port}`,  
+                segment:`ndcc-rate-limit-user-${server.info.port}`,  
                 expiresIn:Number(requestsPerSecond.split('/')[1])                    
               },
             }

ndcc/server/plugins/rateLimit/lib/index.js

@@ -0,0 +1,120 @@
+'use strict'
+
+const Joi = require('joi')
+const Pkg = {
+  name:"rate-limit"
+}
+
+const internals = require('./internals')
+
+const register = function (plugin, options) {
+  const pluginSettings = Joi.attempt(Object.assign({}, options), internals.schema)
+
+  // we call toString on the user attribute in getUser, so we have to do it here too.
+  pluginSettings.userWhitelist = pluginSettings.userWhitelist.map(user => user.toString())
+
+  const userCache = plugin.cache(pluginSettings.userCache)
+  const pathCache = plugin.cache(pluginSettings.pathCache)
+  const userPathCache = plugin.cache(pluginSettings.userPathCache)
+  const authCache = plugin.cache(pluginSettings.authCache)
+
+  // called regardless if authentication is performed, before authentication is performed
+  plugin.ext('onPreAuth', async (request, h) => {
+    const routeSettings = request.route.settings.plugins[internals.pluginName] || {}
+
+    delete routeSettings.userCache
+
+    if (routeSettings.userLimit !== false) {
+      delete routeSettings.userLimit
+    }
+
+    const settings = { ...pluginSettings, ...routeSettings }
+
+    request.plugins[internals.pluginName] = { settings }
+
+    if (settings.enabled === false) {
+      return h.continue
+    }
+
+    const remaining = await internals.authCheck(authCache, request)
+
+    if (remaining < 0) {
+      return settings.limitExceededResponse(request, h)
+    }
+
+    return h.continue
+  })
+
+  // called regardless if authentication is performed, but not if authentication fails
+  plugin.ext('onPostAuth', async (request, h) => {
+    const { settings } = request.plugins[internals.pluginName]
+
+    if (settings.enabled === false) {
+      return h.continue
+    }
+
+    const remaining = await Promise.all([
+      internals.userCheck(userCache, request),
+      internals.userPathCheck(userPathCache, request),
+      internals.pathCheck(pathCache, request)
+    ])
+
+    if (remaining.some(r => r < 0)) {
+      return settings.limitExceededResponse(request, h)
+    }
+
+    return h.continue
+  })
+
+  // always called, unless the request is aborted
+  plugin.ext('onPreResponse', async (request, h) => {
+    const requestPlugin = request.plugins[internals.pluginName]
+
+    if (!requestPlugin) {
+      // We never even made it to onPreAuth
+      return h.continue
+    }
+
+    const { response } = request
+
+    // Non 401s can include authToken in their data and if it's there it counts
+    if (response.isBoom) {
+      await internals.authFailure(authCache, request)
+    }
+
+    const { settings } = requestPlugin
+
+    if (settings.headers !== false) {
+      let headers = response.headers
+
+      if (response.isBoom) {
+        headers = response.output.headers
+      }
+
+      if (settings.pathLimit !== false) {
+        headers['X-RateLimit-PathLimit'] = requestPlugin.pathLimit
+        headers['X-RateLimit-PathRemaining'] = requestPlugin.pathRemaining
+        headers['X-RateLimit-PathReset'] = requestPlugin.pathReset
+      }
+
+      if (settings.userPathLimit !== false) {
+        headers['X-RateLimit-UserPathLimit'] = requestPlugin.userPathLimit
+        headers['X-RateLimit-UserPathRemaining'] = requestPlugin.userPathRemaining
+        headers['X-RateLimit-UserPathReset'] = requestPlugin.userPathReset
+      }
+
+      if (settings.userLimit !== false) {
+        headers['X-RateLimit-UserLimit'] = requestPlugin.userLimit
+        headers['X-RateLimit-UserRemaining'] = requestPlugin.userRemaining
+        headers['X-RateLimit-UserReset'] = requestPlugin.userReset
+      }
+    }
+
+    return h.continue
+  })
+}
+
+module.exports = {
+  register,
+  pkg: Pkg
+}

ndcc/server/plugins/rateLimit/lib/internals.js

@@ -0,0 +1,304 @@
+const Crypto = require('crypto')
+const Boom = require('@hapi/boom')
+const Hoek = require('@hapi/hoek')
+const Joi = require('joi')
+
+const pluginName = 'rate-limit'
+
+const schema = Joi.object({
+  enabled: Joi.boolean().default(true),
+  addressOnly: Joi.boolean().default(false),
+  headers: Joi.boolean().default(true),
+  ipWhitelist: Joi.array().default([]),
+  authCache: Joi.object({
+    getDecoratedValue: Joi.boolean().default(true),
+    cache: Joi.string().optional(),
+    segment: Joi.string().default(`${pluginName}-auth`),
+    expiresIn: Joi.number().default(1 * 60 * 1000) // 1 minute
+  }).default(),
+  authToken: Joi.string().default('authToken'),
+  authLimit: Joi.alternatives()
+    .try(Joi.boolean(), Joi.number())
+    .default(5),
+  pathCache: Joi.object({
+    getDecoratedValue: Joi.boolean().default(true),
+    cache: Joi.string().optional(),
+    segment: Joi.string().default(`${pluginName}-path`),
+    expiresIn: Joi.number().default(1 * 60 * 1000) // 1 minute
+  }).default(),
+  pathLimit: Joi.alternatives()
+    .try(Joi.boolean(), Joi.number())
+    .default(50),
+  ignorePathParams: Joi.boolean().default(false),
+  trustProxy: Joi.boolean().default(false),
+  getIpFromProxyHeader: Joi.func().default(null),
+  proxyHeaderName: Joi.string().default('x-forwarded-for'),
+  userAttribute: Joi.string().default('id'),
+  userCache: Joi.object({
+    getDecoratedValue: Joi.boolean().default(true),
+    cache: Joi.string().optional(),
+    segment: Joi.string().default(`${pluginName}-user`),
+    expiresIn: Joi.number().default(10 * 60 * 1000) // 10 minutes
+  }).default(),
+  userLimit: Joi.alternatives()
+    .try(Joi.boolean(), Joi.number())
+    .default(300),
+  userWhitelist: Joi.array().default([]),
+  userPathCache: Joi.object({
+    getDecoratedValue: Joi.boolean().default(true),
+    cache: Joi.string().optional(),
+    segment: Joi.string().default(`${pluginName}-userPath`),
+    expiresIn: Joi.number().default(1 * 60 * 1000) // 1 minute
+  }).default(),
+  userPathLimit: Joi.alternatives()
+    .try(Joi.boolean(), Joi.number())
+    .default(false),
+  limitExceededResponse: Joi.func().default(() => {
+    return limitExceededResponse
+  })
+})
+
+function getUser (request, settings) {
+  if (request.auth.isAuthenticated) {
+    const user = Hoek.reach(request.auth.credentials, settings.userAttribute)
+    if (user !== undefined) {
+      return user.toString()
+    }
+  }
+}
+
+function getIP (request, settings) {
+  let ip
+
+  if (settings.trustProxy && request.headers[settings.proxyHeaderName]) {
+    if (settings.getIpFromProxyHeader) {
+      ip = settings.getIpFromProxyHeader(request.headers[settings.proxyHeaderName])
+    } else {
+      const ips = request.headers[settings.proxyHeaderName].split(',')
+      ip = ips[0]
+    }
+  }
+
+  if (ip === undefined) {
+    ip = request.info.remoteAddress
+  }
+
+  return ip
+}
+
+async function authFailure (authCache, request) {
+  const requestPlugin = request.plugins[pluginName]
+  const settings = requestPlugin.settings
+  if (settings.authLimit === false) {
+    return
+  }
+
+  const ip = getIP(request, settings)
+
+  const { value, cached } = await authCache.get(ip)
+
+  let token
+
+  token = Hoek.reach(request, `auth.artifacts.${settings.authToken}`)
+
+  if (!token) {
+    token = Hoek.reach(request, `auth.error.data.${settings.authToken}`)
+  }
+
+  if (!token) {
+    return
+  }
+
+  const tokenHash = Crypto.createHash('sha1')
+    .update(token)
+    .digest('hex')
+    .slice(0, 6)
+
+  let tokens
+  let ttl = settings.userPathCache.expiresIn
+
+  /* $lab:coverage:off$ */
+  if (value === null || cached.isStale) {
+    /* $lab:coverage:on$ */
+    tokens = new Set([tokenHash])
+  } else {
+    ttl = cached.ttl
+    tokens = new Set([...value, tokenHash])
+  }
+
+  // Sets don't stringify so we cast to an array before storing in the cache
+  await authCache.set(ip, Array.from(tokens), ttl)
+}
+
+async function authCheck (authCache, request) {
+  const requestPlugin = request.plugins[pluginName]
+  const settings = requestPlugin.settings
+  if (settings.authLimit === false) {
+    requestPlugin.authLimit = false
+    return
+  }
+
+  const ip = getIP(request, settings)
+  const { value, cached } = await authCache.get(ip)
+
+  /* $lab:coverage:off$ */
+  if (value === null || cached.isStale) {
+    /* $lab:coverage:on$ */
+    return
+  }
+
+  const badIps = new Set(value)
+  const remaining = settings.authLimit - badIps.size
+
+  return remaining
+}
+
+async function pathCheck (pathCache, request) {
+  const requestPlugin = request.plugins[pluginName]
+  const settings = requestPlugin.settings
+  const path = settings.ignorePathParams ? request.route.path : request.path
+
+  if (settings.pathLimit === false) {
+    requestPlugin.pathLimit = false
+    return
+  }
+
+  const { value, cached } = await pathCache.get(path)
+  let count
+  let ttl = settings.pathCache.expiresIn
+
+  /* $lab:coverage:off$ */
+  if (value === null || cached.isStale) {
+    /* $lab:coverage:on$ */
+    count = 1
+  } else {
+    count = value + 1
+    ttl = cached.ttl
+  }
+
+  let remaining = settings.pathLimit - count
+  if (remaining < 0) {
+    remaining = -1
+  }
+
+  await pathCache.set(path, count, ttl)
+
+  requestPlugin.pathLimit = settings.pathLimit
+  requestPlugin.pathRemaining = remaining
+  requestPlugin.pathReset = Date.now() + ttl
+
+  return remaining
+}
+
+async function userCheck (userCache, request) {
+  const requestPlugin = request.plugins[pluginName]
+  const settings = requestPlugin.settings
+  const ip = getIP(request, settings)
+  let user = getUser(request, settings)
+  if (
+    settings.ipWhitelist.indexOf(ip) > -1 ||
+        (user && settings.userWhitelist.indexOf(user) > -1) ||
+        settings.userLimit === false
+  ) {
+    requestPlugin.userLimit = false
+    return
+  }
+
+  if (settings.addressOnly || user === undefined) {
+    user = ip
+  }
+
+  const { value, cached } = await userCache.get(user)
+
+  let count
+  let ttl = settings.userCache.expiresIn
+
+  /* $lab:coverage:off$ */
+  if (value === null || cached.isStale) {
+    /* $lab:coverage:on$ */
+    count = 1
+  } else {
+    count = value + 1
+    ttl = cached.ttl
+  }
+
+  let remaining = settings.userLimit - count
+  if (remaining < 0) {
+    remaining = -1
+  }
+
+  await userCache.set(user, count, ttl)
+
+  requestPlugin.userLimit = settings.userLimit
+  requestPlugin.userRemaining = remaining
+  requestPlugin.userReset = Date.now() + ttl
+
+  return remaining
+}
+
+async function userPathCheck (userPathCache, request) {
+  const requestPlugin = request.plugins[pluginName]
+  const settings = requestPlugin.settings
+  const ip = getIP(request, settings)
+  let user = getUser(request, settings)
+  const path = settings.ignorePathParams ? request.route.path : request.path
+
+  if (
+    settings.ipWhitelist.indexOf(ip) > -1 ||
+        (user && settings.userWhitelist.indexOf(user) > -1) ||
+        settings.userPathLimit === false
+  ) {
+    requestPlugin.userPathLimit = false
+    return
+  }
+
+  if (settings.addressOnly || user === undefined) {
+    user = ip
+  }
+
+  const userPath = `${user}:${path}`
+
+  const { value, cached } = await userPathCache.get(userPath)
+
+  let count
+  let ttl = settings.userPathCache.expiresIn
+
+  /* $lab:coverage:off$ */
+  if (value === null || cached.isStale) {
+    /* $lab:coverage:on$ */
+    count = 1
+  } else {
+    count = value + 1
+    ttl = cached.ttl
+  }
+
+  let remaining = settings.userPathLimit - count
+  if (remaining < 0) {
+    remaining = -1
+  }
+
+  await userPathCache.set(userPath, count, ttl)
+
+  requestPlugin.userPathLimit = settings.userPathLimit
+  requestPlugin.userPathRemaining = remaining
+  requestPlugin.userPathReset = Date.now() + ttl
+
+  return remaining
+}
+
+function limitExceededResponse () {
+  return Boom.tooManyRequests('Rate limit exceeded')
+}
+
+module.exports = {
+  authCheck,
+  authFailure,
+  getIP,
+  getUser,
+  limitExceededResponse,
+  pathCheck,
+  pluginName,
+  schema,
+  userCheck,
+  userPathCheck
+}

ndcc/server/plugins/route.js

@@ -97,7 +97,7 @@ exports.plugin  = {
                         collection === "plugins" ? server.match('POST', `/plugins/${_id}`) : server.match('GET', `/${_id}`);  //添加时默认是这样  
                     if(!route){
                         const options = collection === "api" ? {auth: 'auth'} : 
-                            collection === 'plugins' ? { isInternal:true,payload: {parse: false,  output: 'stream'},plugins: {'hapi-rate-limit': {enabled: false } }} : 
+                            collection === 'plugins' ? { isInternal:true,payload: {parse: false,  output: 'stream'},plugins: {'rate-limit': {enabled: false } }} : 
                             {}
                         
                         //添加插件需要注入到server.settings.app.plugins
@@ -242,7 +242,7 @@ exports.plugin  = {
                 server.route({ 
                     method: ['POST'], 
                     path: `/plugins/${_id}`, 
-                    options:{ isInternal:true,payload: {parse: false,  output: 'stream'},plugins: {'hapi-rate-limit': {enabled: false } }},
+                    options:{ isInternal:true,payload: {parse: false,  output: 'stream'},plugins: {'rate-limit': {enabled: false } }},
                     handler: pluginsHandler(_id)
                 });
             })