Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,140 --> 00:00:04,000 In this lecture let's implement rate limiting 2 00:00:04,000 --> 00:00:06,120 in order to prevent the same IP 3 00:00:06,120 --> 00:00:09,130 from making too many requests to our API 4 00:00:09,130 --> 00:00:11,730 and that will then help us preventing attacks 5 00:00:11,730 --> 00:00:14,893 like denial of service, or brute force attacks. 6 00:00:16,470 --> 00:00:19,230 So, that rate limiter will be implemented 7 00:00:19,230 --> 00:00:21,920 as a global middleware function. 8 00:00:21,920 --> 00:00:24,830 So, basically, what the rate limiter is gonna do, 9 00:00:24,830 --> 00:00:28,490 is to count the number of requests coming from one IP 10 00:00:28,490 --> 00:00:30,249 and then, when there are too many requests, 11 00:00:30,249 --> 00:00:32,970 block these requests, okay? 12 00:00:32,970 --> 00:00:35,400 And so it makes sense to implement that 13 00:00:35,400 --> 00:00:39,901 in a global middleware, so, we do that in app.js. 14 00:00:39,901 --> 00:00:43,410 So, we haven't used this one in a long time, 15 00:00:43,410 --> 00:00:45,550 and the rate limiter that we're going to use 16 00:00:45,550 --> 00:00:49,430 is an npm package called Express Rate Limit. 17 00:00:49,430 --> 00:00:50,803 So lets install that. 18 00:00:52,800 --> 00:00:57,800 npm i express-rate-limit, alright. 19 00:01:01,770 --> 00:01:04,852 And then, here at the top of our application, 20 00:01:08,440 --> 00:01:12,430 let's call it rateLimit and then require 21 00:01:13,329 --> 00:01:17,400 the express and actually it's already here 22 00:01:17,400 --> 00:01:21,440 So VS code grabs this name from our package.json file. 23 00:01:21,440 --> 00:01:23,660 Okay, and this name that I gave it here 24 00:01:23,660 --> 00:01:26,320 usually comes from the documentation. 25 00:01:26,320 --> 00:01:28,760 So if they do it like this in the documentation, 26 00:01:28,760 --> 00:01:32,340 well, then that's the way that I follow as well. 27 00:01:32,340 --> 00:01:34,503 Okay, so let's now use this middleware 28 00:01:34,503 --> 00:01:37,990 right here at the top of our global middlewares, 29 00:01:37,990 --> 00:01:39,940 let's actually write that here, global. 30 00:01:41,190 --> 00:01:44,693 And we start by creating a limiter. 31 00:01:48,520 --> 00:01:51,410 So limiter, and we do that by calling 32 00:01:51,410 --> 00:01:55,260 the rateLimit function that we just defined up there. 33 00:01:55,260 --> 00:01:58,000 So rateLimit is a function which receives 34 00:01:58,000 --> 00:02:01,090 an object of options, okay? 35 00:02:01,090 --> 00:02:03,080 And in here, we can basically define 36 00:02:03,080 --> 00:02:06,230 how many requests per IP we are going to allow 37 00:02:06,230 --> 00:02:08,250 in a certain amount of time. 38 00:02:08,250 --> 00:02:11,900 So we can specify the max property, 39 00:02:11,900 --> 00:02:16,200 which I'm gonna set to 100, and then also the window, 40 00:02:16,200 --> 00:02:19,070 so the time window, okay? 41 00:02:19,070 --> 00:02:21,260 So what I want to allow here is basically, 42 00:02:21,260 --> 00:02:23,380 100 requests per hour. 43 00:02:23,380 --> 00:02:27,360 And this here actually called window milliseconds. 44 00:02:27,360 --> 00:02:31,323 Okay, and so we want one hour so 60 minutes, 45 00:02:32,750 --> 00:02:37,720 times 60 for seconds, times 1,000 for milliseconds. 46 00:02:37,720 --> 00:02:40,520 Alright, so again, what this will do 47 00:02:40,520 --> 00:02:45,033 is to allow 100 requests from the same IP in one hour. 48 00:02:45,890 --> 00:02:48,210 Okay, and if that limit is then crossed 49 00:02:48,210 --> 00:02:51,860 by a certain IP, they will get back an error message. 50 00:02:51,860 --> 00:02:54,603 And here we can now specify that message. 51 00:02:58,550 --> 00:03:02,543 Too many requests from this IP, 52 00:03:05,160 --> 00:03:10,160 please try again in an hour, alright, 53 00:03:10,320 --> 00:03:12,540 so we kind of need to find a balance 54 00:03:12,540 --> 00:03:14,980 which works best for our application. 55 00:03:14,980 --> 00:03:16,900 For example, if you're building an API, 56 00:03:16,900 --> 00:03:20,250 which really needs a lot of requests for one IP, 57 00:03:20,250 --> 00:03:22,780 then of course, this number here should be greater. 58 00:03:22,780 --> 00:03:25,770 So don't just follow blindly what I just put here, 59 00:03:25,770 --> 00:03:28,410 but really adapt it to your own application 60 00:03:28,410 --> 00:03:30,100 so that you don't make it unusable 61 00:03:30,100 --> 00:03:32,173 because of this limiter, all right? 62 00:03:33,660 --> 00:03:37,480 Anyway, this limiter now here that we just created 63 00:03:37,480 --> 00:03:40,653 is basically a middleware function okay? 64 00:03:41,630 --> 00:03:44,320 So, rateLimit is a function which will, 65 00:03:44,320 --> 00:03:47,470 based on our objects, create a middleware function, 66 00:03:47,470 --> 00:03:52,223 which we now can use using app.use just like we did before. 67 00:03:53,990 --> 00:03:56,490 And we can do it simply like this. 68 00:03:56,490 --> 00:03:58,450 But what we actually want is to basically 69 00:03:58,450 --> 00:04:00,713 limit access to our API route. 70 00:04:01,810 --> 00:04:04,050 So, we can specify that here, 71 00:04:04,050 --> 00:04:07,300 remember that we can do that with middleware. 72 00:04:07,300 --> 00:04:10,720 And so, we basically want to apply this limiter 73 00:04:10,720 --> 00:04:13,370 only to a slash API, okay? 74 00:04:13,370 --> 00:04:15,700 And so that will then affect all of the routes 75 00:04:15,700 --> 00:04:18,959 that basically start with this, your app 76 00:04:18,959 --> 00:04:21,615 so forward slash API, great. 77 00:04:21,615 --> 00:04:25,140 So let's go back to our main tab here. 78 00:04:25,140 --> 00:04:29,140 Give it a save, and now let's actually try this 79 00:04:29,140 --> 00:04:31,330 and let's do it here with the simplest one, 80 00:04:31,330 --> 00:04:35,850 so get all tours, then here is our result 81 00:04:35,850 --> 00:04:39,600 and now what I want to show you is these headers here. 82 00:04:39,600 --> 00:04:42,720 So our rate limiter creates these two headers 83 00:04:42,720 --> 00:04:47,720 so the RateLimit-Limit, and the RateLimit-Remaining, okay? 84 00:04:47,910 --> 00:04:50,870 So we start with 100 just as we defined, 85 00:04:50,870 --> 00:04:53,130 and now we have remaining, 99, 86 00:04:53,130 --> 00:04:56,666 because we already did one request, right? 87 00:04:56,666 --> 00:05:00,000 So what happens if we do one other one? 88 00:05:00,000 --> 00:05:02,853 Let's do it with Get Tour, for example, 89 00:05:04,520 --> 00:05:06,550 and there's no tour with that ID, 90 00:05:06,550 --> 00:05:08,890 but that doesn't matter, what matters here 91 00:05:08,890 --> 00:05:12,660 is that the remaining is now down to 98. 92 00:05:12,660 --> 00:05:15,010 And if we try it again, then you'll see 93 00:05:15,010 --> 00:05:19,210 it's even down further to 97 okay? 94 00:05:19,210 --> 00:05:21,620 And actually down here, we also have the reset. 95 00:05:21,620 --> 00:05:25,990 So basically the timestamp where it is resetted okay? 96 00:05:25,990 --> 00:05:28,833 So that one hour window that we specified before. 97 00:05:29,760 --> 00:05:34,069 Okay, now if in between this our app is restarted, 98 00:05:34,069 --> 00:05:37,410 so in order to do that I will simply save. 99 00:05:37,410 --> 00:05:40,920 Let's see what happens then, okay, 100 00:05:40,920 --> 00:05:43,200 so I'm sending it again, and so now 101 00:05:43,200 --> 00:05:45,910 we're back starting from the beginning basically. 102 00:05:45,910 --> 00:05:49,440 Okay, so our app cannot crash during this time 103 00:05:49,440 --> 00:05:51,350 because otherwise, that will basically then 104 00:05:51,350 --> 00:05:54,093 reset the limit as well okay? 105 00:05:55,260 --> 00:05:59,670 Now, let's actually try to see the error message, 106 00:05:59,670 --> 00:06:04,670 and so I will take down this maximum to just three okay? 107 00:06:04,870 --> 00:06:09,370 And save it here, send this request, 108 00:06:09,370 --> 00:06:10,790 and in our headers we now see 109 00:06:10,790 --> 00:06:14,610 we have only two remaining, let's try another one 110 00:06:14,610 --> 00:06:18,190 and so now zero remaining, so this 111 00:06:18,190 --> 00:06:21,180 probably was our last one, let's see the body, 112 00:06:21,180 --> 00:06:23,350 so this time, we still got data, 113 00:06:23,350 --> 00:06:27,087 but if we now try it again, we got an error. 114 00:06:27,087 --> 00:06:29,113 Roo many requests from this IP. 115 00:06:29,113 --> 00:06:31,190 And then it will automatically set 116 00:06:31,190 --> 00:06:36,190 the status code to 429 which means too many requests. 117 00:06:36,190 --> 00:06:39,560 Okay, and so again, this will help us try 118 00:06:39,560 --> 00:06:43,810 to prevent denial of service and also brute force attacks 119 00:06:43,810 --> 00:06:46,270 where an attacker tries to guess 120 00:06:46,270 --> 00:06:48,877 the password of some user, basically by using 121 00:06:48,877 --> 00:06:51,900 as the name says, brute force. 122 00:06:51,900 --> 00:06:54,644 Okay, so that is API limiting, 123 00:06:54,644 --> 00:06:57,030 quite straightforward to implement 124 00:06:57,030 --> 00:06:59,363 with this Express Rate Limit package. 9932