Skip to content

Commit 63a717f

Browse files
kentcdoddskentcdodds
authored
Ipv6 rate limit key error (#46)
1 parent 3a3cfdb commit 63a717f

2 files changed

Lines changed: 16 additions & 5 deletions

File tree

docs/skills/epic-security/SKILL.md

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -196,7 +196,7 @@ Epic Stack uses `express-rate-limit` para prevenir abuso.
196196

197197
```typescript
198198
// server/index.ts
199-
import rateLimit from 'express-rate-limit'
199+
import rateLimit, { ipKeyGenerator } from 'express-rate-limit'
200200

201201
const rateLimitDefault = {
202202
windowMs: 60 * 1000, // 1 minute
@@ -205,7 +205,8 @@ const rateLimitDefault = {
205205
legacyHeaders: false,
206206
validate: { trustProxy: false },
207207
keyGenerator: (req: express.Request) => {
208-
return req.get('fly-client-ip') ?? `${req.ip}`
208+
const clientIp = req.get('fly-client-ip') ?? req.ip
209+
return ipKeyGenerator(clientIp)
209210
},
210211
}
211212

@@ -508,13 +509,18 @@ export default function SignupRoute({ actionData }: Route.ComponentProps) {
508509

509510
```typescript
510511
// server/index.ts
512+
import { ipKeyGenerator } from 'express-rate-limit'
511513
const apiRateLimit = rateLimit({
512514
...rateLimitDefault,
513515
windowMs: 60 * 1000,
514516
limit: 100, // 100 requests per minute for API
515517
keyGenerator: (req) => {
516518
const apiKey = req.get('X-API-Key')
517-
return apiKey ?? req.get('fly-client-ip') ?? req.ip
519+
if (apiKey) {
520+
return apiKey
521+
}
522+
const clientIp = req.get('fly-client-ip') ?? req.ip
523+
return ipKeyGenerator(clientIp)
518524
},
519525
})
520526

server/index.ts

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ import chalk from 'chalk'
44
import closeWithGrace from 'close-with-grace'
55
import compression from 'compression'
66
import express from 'express'
7-
import rateLimit from 'express-rate-limit'
7+
import rateLimit, { ipKeyGenerator } from 'express-rate-limit'
88
import getPort, { portNumbers } from 'get-port'
99
import helmet from 'helmet'
1010
import morgan from 'morgan'
@@ -128,7 +128,12 @@ const rateLimitDefault = {
128128
// When sitting behind a CDN such as cloudflare, replace fly-client-ip with the CDN
129129
// specific header such as cf-connecting-ip
130130
keyGenerator: (req: express.Request) => {
131-
return req.get('fly-client-ip') ?? `${req.ip}`
131+
const clientIp: string =
132+
req.get('fly-client-ip') ??
133+
req.ip ??
134+
req.socket.remoteAddress ??
135+
'0.0.0.0'
136+
return ipKeyGenerator(clientIp)
132137
},
133138
}
134139

0 commit comments

Comments
 (0)