Skip to content

Make the rate limiter resilient to spoofed X-Forwarded-For and unbounded memory #8

Description

@mikewheeleer

Harden the per-IP rate limiter against spoofing and memory growth

Description

The sliding-window limiter in src/index.ts keys buckets on req.ip ?? req.socket.remoteAddress, but app never sets trust proxy, so behind a load balancer every request looks like one IP — and a forged X-Forwarded-For could either evade or poison the limiter. The rateBuckets map also never evicts idle keys, so it grows without bound. This issue makes the limiter proxy-aware and bounded.

Requirements and context

  • Repository scope: StableRoute-Org/Stableroute-backend only.
  • Set app.set("trust proxy", ...) from a TRUST_PROXY env var so req.ip resolves correctly only when fronted by a trusted proxy.
  • Add periodic eviction (or lazy GC on access) of empty/expired buckets so rateBuckets cannot grow unbounded.
  • Keep the Retry-After header and the 429 rate_limited body shape unchanged.
  • Read the window/limit from the existing config object so PATCH /api/v1/config continues to tune it.

Suggested execution

  • Fork the repo and create a branch
  • git checkout -b security/rate-limit-08-proxy-and-eviction
  • Implement changes
    • Write code in: src/index.ts — configure trust proxy, add bucket eviction, source limits from config.
    • Write comprehensive tests in: src/__tests__/index.test.ts — drive requests past the limit, assert 429, and assert bucket cleanup over a simulated window.
    • Add documentation: document TRUST_PROXY in README.md.
    • Add TSDoc on the limiter middleware.
    • Validate security: ensure a spoofed X-Forwarded-For is ignored when proxy trust is disabled.
  • Test and commit

Test and commit

  • Run npm run build, npm run lint, and npm test.
  • Cover edge cases: exactly-at-limit, just-over-limit, window rollover, eviction.
  • Paste full npm test output in the PR.

Example commit message

fix(security): make rate limiter proxy-aware and bound its memory

Guidelines

  • Minimum 95 percent test coverage for impacted code.
  • Clear, reviewer-focused documentation.
  • Timeframe: 96 hours.

Community & contribution rewards

  • 💬 Join the StableRoute community on Discord for questions, reviews, and faster merges: https://discord.gg/37aCpusvx
  • ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.

Metadata

Metadata

Assignees

No one assigned

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions