Harden the per-IP rate limiter against spoofing and memory growth
Description
The sliding-window limiter in src/index.ts keys buckets on req.ip ?? req.socket.remoteAddress, but app never sets trust proxy, so behind a load balancer every request looks like one IP — and a forged X-Forwarded-For could either evade or poison the limiter. The rateBuckets map also never evicts idle keys, so it grows without bound. This issue makes the limiter proxy-aware and bounded.
Requirements and context
- Repository scope:
StableRoute-Org/Stableroute-backend only.
- Set
app.set("trust proxy", ...) from a TRUST_PROXY env var so req.ip resolves correctly only when fronted by a trusted proxy.
- Add periodic eviction (or lazy GC on access) of empty/expired buckets so
rateBuckets cannot grow unbounded.
- Keep the
Retry-After header and the 429 rate_limited body shape unchanged.
- Read the window/limit from the existing
config object so PATCH /api/v1/config continues to tune it.
Suggested execution
- Fork the repo and create a branch
git checkout -b security/rate-limit-08-proxy-and-eviction
- Implement changes
- Write code in:
src/index.ts — configure trust proxy, add bucket eviction, source limits from config.
- Write comprehensive tests in:
src/__tests__/index.test.ts — drive requests past the limit, assert 429, and assert bucket cleanup over a simulated window.
- Add documentation: document
TRUST_PROXY in README.md.
- Add TSDoc on the limiter middleware.
- Validate security: ensure a spoofed
X-Forwarded-For is ignored when proxy trust is disabled.
- Test and commit
Test and commit
- Run
npm run build, npm run lint, and npm test.
- Cover edge cases: exactly-at-limit, just-over-limit, window rollover, eviction.
- Paste full
npm test output in the PR.
Example commit message
fix(security): make rate limiter proxy-aware and bound its memory
Guidelines
- Minimum 95 percent test coverage for impacted code.
- Clear, reviewer-focused documentation.
- Timeframe: 96 hours.
Community & contribution rewards
- 💬 Join the StableRoute community on Discord for questions, reviews, and faster merges: https://discord.gg/37aCpusvx
- ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.
Harden the per-IP rate limiter against spoofing and memory growth
Description
The sliding-window limiter in
src/index.tskeys buckets onreq.ip ?? req.socket.remoteAddress, butappnever setstrust proxy, so behind a load balancer every request looks like one IP — and a forgedX-Forwarded-Forcould either evade or poison the limiter. TherateBucketsmap also never evicts idle keys, so it grows without bound. This issue makes the limiter proxy-aware and bounded.Requirements and context
StableRoute-Org/Stableroute-backendonly.app.set("trust proxy", ...)from aTRUST_PROXYenv var soreq.ipresolves correctly only when fronted by a trusted proxy.rateBucketscannot grow unbounded.Retry-Afterheader and the429 rate_limitedbody shape unchanged.configobject soPATCH /api/v1/configcontinues to tune it.Suggested execution
git checkout -b security/rate-limit-08-proxy-and-evictionsrc/index.ts— configure trust proxy, add bucket eviction, source limits fromconfig.src/__tests__/index.test.ts— drive requests past the limit, assert 429, and assert bucket cleanup over a simulated window.TRUST_PROXYinREADME.md.X-Forwarded-Foris ignored when proxy trust is disabled.Test and commit
npm run build,npm run lint, andnpm test.npm testoutput in the PR.Example commit message
fix(security): make rate limiter proxy-aware and bound its memoryGuidelines
Community & contribution rewards