Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:01,140 --> 00:00:04,000
In this lecture let's implement rate limiting
2
00:00:04,000 --> 00:00:06,120
in order to prevent the same IP
3
00:00:06,120 --> 00:00:09,130
from making too many requests to our API
4
00:00:09,130 --> 00:00:11,730
and that will then help us preventing attacks
5
00:00:11,730 --> 00:00:14,893
like denial of service, or brute force attacks.
6
00:00:16,470 --> 00:00:19,230
So, that rate limiter will be implemented
7
00:00:19,230 --> 00:00:21,920
as a global middleware function.
8
00:00:21,920 --> 00:00:24,830
So, basically, what the rate limiter is gonna do,
9
00:00:24,830 --> 00:00:28,490
is to count the number of requests coming from one IP
10
00:00:28,490 --> 00:00:30,249
and then, when there are too many requests,
11
00:00:30,249 --> 00:00:32,970
block these requests, okay?
12
00:00:32,970 --> 00:00:35,400
And so it makes sense to implement that
13
00:00:35,400 --> 00:00:39,901
in a global middleware, so, we do that in app.js.
14
00:00:39,901 --> 00:00:43,410
So, we haven't used this one in a long time,
15
00:00:43,410 --> 00:00:45,550
and the rate limiter that we're going to use
16
00:00:45,550 --> 00:00:49,430
is an npm package called Express Rate Limit.
17
00:00:49,430 --> 00:00:50,803
So lets install that.
18
00:00:52,800 --> 00:00:57,800
npm i express-rate-limit, alright.
19
00:01:01,770 --> 00:01:04,852
And then, here at the top of our application,
20
00:01:08,440 --> 00:01:12,430
let's call it rateLimit and then require
21
00:01:13,329 --> 00:01:17,400
the express and actually it's already here
22
00:01:17,400 --> 00:01:21,440
So VS code grabs this name from our package.json file.
23
00:01:21,440 --> 00:01:23,660
Okay, and this name that I gave it here
24
00:01:23,660 --> 00:01:26,320
usually comes from the documentation.
25
00:01:26,320 --> 00:01:28,760
So if they do it like this in the documentation,
26
00:01:28,760 --> 00:01:32,340
well, then that's the way that I follow as well.
27
00:01:32,340 --> 00:01:34,503
Okay, so let's now use this middleware
28
00:01:34,503 --> 00:01:37,990
right here at the top of our global middlewares,
29
00:01:37,990 --> 00:01:39,940
let's actually write that here, global.
30
00:01:41,190 --> 00:01:44,693
And we start by creating a limiter.
31
00:01:48,520 --> 00:01:51,410
So limiter, and we do that by calling
32
00:01:51,410 --> 00:01:55,260
the rateLimit function that we just defined up there.
33
00:01:55,260 --> 00:01:58,000
So rateLimit is a function which receives
34
00:01:58,000 --> 00:02:01,090
an object of options, okay?
35
00:02:01,090 --> 00:02:03,080
And in here, we can basically define
36
00:02:03,080 --> 00:02:06,230
how many requests per IP we are going to allow
37
00:02:06,230 --> 00:02:08,250
in a certain amount of time.
38
00:02:08,250 --> 00:02:11,900
So we can specify the max property,
39
00:02:11,900 --> 00:02:16,200
which I'm gonna set to 100, and then also the window,
40
00:02:16,200 --> 00:02:19,070
so the time window, okay?
41
00:02:19,070 --> 00:02:21,260
So what I want to allow here is basically,
42
00:02:21,260 --> 00:02:23,380
100 requests per hour.
43
00:02:23,380 --> 00:02:27,360
And this here actually called window milliseconds.
44
00:02:27,360 --> 00:02:31,323
Okay, and so we want one hour so 60 minutes,
45
00:02:32,750 --> 00:02:37,720
times 60 for seconds, times 1,000 for milliseconds.
46
00:02:37,720 --> 00:02:40,520
Alright, so again, what this will do
47
00:02:40,520 --> 00:02:45,033
is to allow 100 requests from the same IP in one hour.
48
00:02:45,890 --> 00:02:48,210
Okay, and if that limit is then crossed
49
00:02:48,210 --> 00:02:51,860
by a certain IP, they will get back an error message.
50
00:02:51,860 --> 00:02:54,603
And here we can now specify that message.
51
00:02:58,550 --> 00:03:02,543
Too many requests from this IP,
52
00:03:05,160 --> 00:03:10,160
please try again in an hour, alright,
53
00:03:10,320 --> 00:03:12,540
so we kind of need to find a balance
54
00:03:12,540 --> 00:03:14,980
which works best for our application.
55
00:03:14,980 --> 00:03:16,900
For example, if you're building an API,
56
00:03:16,900 --> 00:03:20,250
which really needs a lot of requests for one IP,
57
00:03:20,250 --> 00:03:22,780
then of course, this number here should be greater.
58
00:03:22,780 --> 00:03:25,770
So don't just follow blindly what I just put here,
59
00:03:25,770 --> 00:03:28,410
but really adapt it to your own application
60
00:03:28,410 --> 00:03:30,100
so that you don't make it unusable
61
00:03:30,100 --> 00:03:32,173
because of this limiter, all right?
62
00:03:33,660 --> 00:03:37,480
Anyway, this limiter now here that we just created
63
00:03:37,480 --> 00:03:40,653
is basically a middleware function okay?
64
00:03:41,630 --> 00:03:44,320
So, rateLimit is a function which will,
65
00:03:44,320 --> 00:03:47,470
based on our objects, create a middleware function,
66
00:03:47,470 --> 00:03:52,223
which we now can use using app.use just like we did before.
67
00:03:53,990 --> 00:03:56,490
And we can do it simply like this.
68
00:03:56,490 --> 00:03:58,450
But what we actually want is to basically
69
00:03:58,450 --> 00:04:00,713
limit access to our API route.
70
00:04:01,810 --> 00:04:04,050
So, we can specify that here,
71
00:04:04,050 --> 00:04:07,300
remember that we can do that with middleware.
72
00:04:07,300 --> 00:04:10,720
And so, we basically want to apply this limiter
73
00:04:10,720 --> 00:04:13,370
only to a slash API, okay?
74
00:04:13,370 --> 00:04:15,700
And so that will then affect all of the routes
75
00:04:15,700 --> 00:04:18,959
that basically start with this, your app
76
00:04:18,959 --> 00:04:21,615
so forward slash API, great.
77
00:04:21,615 --> 00:04:25,140
So let's go back to our main tab here.
78
00:04:25,140 --> 00:04:29,140
Give it a save, and now let's actually try this
79
00:04:29,140 --> 00:04:31,330
and let's do it here with the simplest one,
80
00:04:31,330 --> 00:04:35,850
so get all tours, then here is our result
81
00:04:35,850 --> 00:04:39,600
and now what I want to show you is these headers here.
82
00:04:39,600 --> 00:04:42,720
So our rate limiter creates these two headers
83
00:04:42,720 --> 00:04:47,720
so the RateLimit-Limit, and the RateLimit-Remaining, okay?
84
00:04:47,910 --> 00:04:50,870
So we start with 100 just as we defined,
85
00:04:50,870 --> 00:04:53,130
and now we have remaining, 99,
86
00:04:53,130 --> 00:04:56,666
because we already did one request, right?
87
00:04:56,666 --> 00:05:00,000
So what happens if we do one other one?
88
00:05:00,000 --> 00:05:02,853
Let's do it with Get Tour, for example,
89
00:05:04,520 --> 00:05:06,550
and there's no tour with that ID,
90
00:05:06,550 --> 00:05:08,890
but that doesn't matter, what matters here
91
00:05:08,890 --> 00:05:12,660
is that the remaining is now down to 98.
92
00:05:12,660 --> 00:05:15,010
And if we try it again, then you'll see
93
00:05:15,010 --> 00:05:19,210
it's even down further to 97 okay?
94
00:05:19,210 --> 00:05:21,620
And actually down here, we also have the reset.
95
00:05:21,620 --> 00:05:25,990
So basically the timestamp where it is resetted okay?
96
00:05:25,990 --> 00:05:28,833
So that one hour window that we specified before.
97
00:05:29,760 --> 00:05:34,069
Okay, now if in between this our app is restarted,
98
00:05:34,069 --> 00:05:37,410
so in order to do that I will simply save.
99
00:05:37,410 --> 00:05:40,920
Let's see what happens then, okay,
100
00:05:40,920 --> 00:05:43,200
so I'm sending it again, and so now
101
00:05:43,200 --> 00:05:45,910
we're back starting from the beginning basically.
102
00:05:45,910 --> 00:05:49,440
Okay, so our app cannot crash during this time
103
00:05:49,440 --> 00:05:51,350
because otherwise, that will basically then
104
00:05:51,350 --> 00:05:54,093
reset the limit as well okay?
105
00:05:55,260 --> 00:05:59,670
Now, let's actually try to see the error message,
106
00:05:59,670 --> 00:06:04,670
and so I will take down this maximum to just three okay?
107
00:06:04,870 --> 00:06:09,370
And save it here, send this request,
108
00:06:09,370 --> 00:06:10,790
and in our headers we now see
109
00:06:10,790 --> 00:06:14,610
we have only two remaining, let's try another one
110
00:06:14,610 --> 00:06:18,190
and so now zero remaining, so this
111
00:06:18,190 --> 00:06:21,180
probably was our last one, let's see the body,
112
00:06:21,180 --> 00:06:23,350
so this time, we still got data,
113
00:06:23,350 --> 00:06:27,087
but if we now try it again, we got an error.
114
00:06:27,087 --> 00:06:29,113
Roo many requests from this IP.
115
00:06:29,113 --> 00:06:31,190
And then it will automatically set
116
00:06:31,190 --> 00:06:36,190
the status code to 429 which means too many requests.
117
00:06:36,190 --> 00:06:39,560
Okay, and so again, this will help us try
118
00:06:39,560 --> 00:06:43,810
to prevent denial of service and also brute force attacks
119
00:06:43,810 --> 00:06:46,270
where an attacker tries to guess
120
00:06:46,270 --> 00:06:48,877
the password of some user, basically by using
121
00:06:48,877 --> 00:06:51,900
as the name says, brute force.
122
00:06:51,900 --> 00:06:54,644
Okay, so that is API limiting,
123
00:06:54,644 --> 00:06:57,030
quite straightforward to implement
124
00:06:57,030 --> 00:06:59,363
with this Express Rate Limit package.
9932
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.