Rate limiting

A way to avoid too many requests at once from a single source.

If a malicious person wishes, they can bombard our server with requests, throttling it. Fortunately, it's quite simple to avoid this kind of situation. Nest has integration with a Throttler, which limits the amount of requests that a route may receive in a time interval from the same source. This process is called Rate Limiting.

First, we should install it.

yarn add @nestjs/throttler

Now, create the file auth -> util -> auth.constants to store the options we'll use for the throttler. In this specific case, we should insert the options inside an array.

export const THROTTLER_MODULE_OPTIONS: ThrottlerModuleOptions = [
  {
    ttl: 60,
    limit: 10,
  },
];

With this, when a request arrives, it is "remembered" for the time defined in the ttl option. If the amount of requests from the same source reaches the value of the limit option, no more requests will be accepted until old ones are "forgotten" first. Roughly speaking, this means that, in each route, for a time interval of 60 seconds, only 10 requests from the same source will be accepted.

Then, in the imports of the AuthModule, we can add the ThrottlerModule.

ThrottlerModule.forRoot(THROTTLER_MODULE_OPTIONS),

After this, in the providers of the AuthModule, we can enable the ThrottlerGuard globally.

{
  provide: APP_GUARD,
  useClass: ThrottlerGuard,
},

We can also have finer control over this process if desired, using decorators that change a specific behavior for a certain route or controller. For example:

• @SkipThrottle() - Disables the throttler (may receive false to not disable it)

• @Throttle() - Overrides the values of ttl and limit

Commit - Using rate limiting to protect against brute force attacks