API Ratelimiting
Answered
Siamese posted this in #help-forum
SiameseOP
Hey! How can I implement a (pretty basic) ratelimit feature onto the nextjs api routes? I don't want anyone to be able to spam discord api/my database using the endpoints I got in nextjs api folder (I need them beacuse I'm doing the data fetching inside of useEffect)
Answered by davidmytton
there's a few ways depending on where you're hosting and what kind of features you want. the main issue is where to store the state i.e. the limit for each client, especially if you're running in a serverless environment. functions get recycled after a period of time so anything in memory is ephemeral
Vercel has a guide at https://vercel.com/guides/rate-limiting-edge-middleware-vercel-kv using their k/v product, which is basically redis. that uses https://github.com/upstash/ratelimit which you can also use directly (which uses redis).
the library I'm working on https://www.npmjs.com/package/@arcjet/next does rate limiting (and some other protections) without redis.
a few people have also written guides for doing it manually e.g. with this express middleware https://kittygiraudel.com/2022/05/16/rate-limit-nextjs-api-routes/ or by implementing your own algorithm: https://blog.logrocket.com/set-up-rate-limiting-next-js-redis/#installing-redis-client
Vercel has a guide at https://vercel.com/guides/rate-limiting-edge-middleware-vercel-kv using their k/v product, which is basically redis. that uses https://github.com/upstash/ratelimit which you can also use directly (which uses redis).
the library I'm working on https://www.npmjs.com/package/@arcjet/next does rate limiting (and some other protections) without redis.
a few people have also written guides for doing it manually e.g. with this express middleware https://kittygiraudel.com/2022/05/16/rate-limit-nextjs-api-routes/ or by implementing your own algorithm: https://blog.logrocket.com/set-up-rate-limiting-next-js-redis/#installing-redis-client
25 Replies
there's a few ways depending on where you're hosting and what kind of features you want. the main issue is where to store the state i.e. the limit for each client, especially if you're running in a serverless environment. functions get recycled after a period of time so anything in memory is ephemeral
Vercel has a guide at https://vercel.com/guides/rate-limiting-edge-middleware-vercel-kv using their k/v product, which is basically redis. that uses https://github.com/upstash/ratelimit which you can also use directly (which uses redis).
the library I'm working on https://www.npmjs.com/package/@arcjet/next does rate limiting (and some other protections) without redis.
a few people have also written guides for doing it manually e.g. with this express middleware https://kittygiraudel.com/2022/05/16/rate-limit-nextjs-api-routes/ or by implementing your own algorithm: https://blog.logrocket.com/set-up-rate-limiting-next-js-redis/#installing-redis-client
Vercel has a guide at https://vercel.com/guides/rate-limiting-edge-middleware-vercel-kv using their k/v product, which is basically redis. that uses https://github.com/upstash/ratelimit which you can also use directly (which uses redis).
the library I'm working on https://www.npmjs.com/package/@arcjet/next does rate limiting (and some other protections) without redis.
a few people have also written guides for doing it manually e.g. with this express middleware https://kittygiraudel.com/2022/05/16/rate-limit-nextjs-api-routes/ or by implementing your own algorithm: https://blog.logrocket.com/set-up-rate-limiting-next-js-redis/#installing-redis-client
Answer
SiameseOP
Thanks!
SiameseOP
Hey @davidmytton anything that doesn't require Redis?
The arcjet thing uses some other external service
Oh, and I'm running on a server
So I can have memory storage like a const in another file that is exported
you'd probably have to write something yourself for in-memory storage then. there's an express rate limit library I know of - https://express-rate-limit.mintlify.app/reference/stores - which has in-memory, but I've not seen anything for nextjs. that's one reason why we implemented this via an API in Arcjet, so you don't need Redis. supporting in-memory is on the roadmap: https://github.com/arcjet/arcjet-js/issues/50
SiameseOP
Damn, alright
@davidmytton you'd probably have to write something yourself for in-memory storage then. there's an express rate limit library I know of - https://express-rate-limit.mintlify.app/reference/stores - which has in-memory, but I've not seen anything for nextjs. that's one reason why we implemented this via an API in Arcjet, so you don't need Redis. supporting in-memory is on the roadmap: https://github.com/arcjet/arcjet-js/issues/50
SiameseOP
The upstash ratelimit package works with normal redis, right?
yes
SiameseOP
Great
@davidmytton yes
SiameseOP
Last thing, is there a way in nextjs API folder, like for other files we have template/layout so that I can add the ratelimit only once and it's good to go for every route?
you could set it up in middleware: https://github.com/upstash/ratelimit/blob/53a9d5110f5eb0e1d66647759f1d1c4650da63b7/examples/nextjs/middleware.ts#L12
SiameseOP
ðŸ‘
SiameseOP
upstash ratelimit got ephemeralCache which stores it like I would want to, but its just cache for redis
SiameseOP
Hey @davidmytton you said I can use normal redis with it. I forgot to mention I'm self hosting. I also used KeyDB but that shouldn't be an issue since its a drop-in replacement
Im confused about the connection part
Cause upstash requires some token and url
redis://:password@ip:port
this is how my url looks normally to connect
this is how my url looks normally to connect
SiameseOP
I'm not to sure how to check whenever it conencted to redis or no. But the ratelimit stuff always return 0
limit, reset, remaining
these are always 0
these are always 0
SiameseOP
I think I do the rest api wrong
SiameseOP
Imma try using ioredis instead
SiameseOP
aaa no support for ioredis and async-ratelimiter doesnt work in middleware
SiameseOP
i made some custom code btw