Designing a Scalable API Rate Limiter in nodejs Application

In this article, we will see how to build a scalable rate limiter for API in nodejs Application. Scalable API Rate Limiter in Node.js Application.

TypeScript for React developers in 2020

Scenario 1:

Let's say, you are building a Public API Service where user can access the Service using that API. Meanwhile, you need to protect from DDOS Attack of that Public API Service.

Scenario 2:

Consider that we built a Product. we need to provide free trial to the users to access the Product service.

Solution:

On both the scenarios, Rate limiting Algorithm is a way to solve the Problems.

Rate limiting Algorithm :

Firstly, Rate limiting algorithm is a way to limit the access to API's. For example, Let's say that an user request a API in the rate of 100 Requests/Second. it might cause of the problem of server overload.

To avoid this problem, we can limit the access to the API's. Like, 20 Requests/minute for an user.

Different Rate Limit Algorithm:

Let's see type of rate limiting algorithms in software application development:

Token Bucket:

it stores the maximum number of token it can provides for a requests per minute. For Example, For an user, API Rate limiter sets 5 tokens per minute. so, user can send maximum 5 requests to server per minutes. After that, server drops the request.

Mainly,Redis is used to store the information for fast access of the request data.

token bucket

How it works

Let's say User1 sends request to server. server checks whether the request time and previous request time is greater than a minute. if it is less than a minute, it will check the token remaining for the specified user.

If it is Zero, Server drops the request.

Leaky Bucket

It is a Queue which takes request in First in First Out(FIFO) way.

leaky bucket 1

Once, Queue is filled. server drops the upcoming request until the queue has space to take more request.

For Example, Server gets request 1,2,3 and 4. Based on the Queue size. it takes in the request. consider the size of queue as 4. it will take requests 1,2,3 and 4.

After that, server gets request 5. it will drop it.

Fixed window Counter

it increments the request counter of an user for a particular time. if counter crosses a threshold. server drops the request. it uses redis to store the request information.

For example, Server gets the request from an user. if the user request info is present in redis and request time is less than the time of previous request, it will increment the counter.

Once, the threshold is reached. server drops the upcoming request for a specified time.

Cons

Let's say that server gets lots of request at 55th second of a minute. this won't work as expected

Sliding Logs

sliding logs

it stores the logs of each request with a timestamp in redis or in memory. For each request, it will check the count of logs available for an user for a minute.

further, if the count is more than the threshold, server drops the upcoming requests.

On the other hand, there are few disadvantages with this approach. let's say if application receives million request, maintaining log for each request in memory is expensive.

Sliding window counter

This approach is somewhat similar to sliding logs. Only difference here is, Instead of storing all the logs,we store by grouping user request data based on timestamp.

For example, Once server receives a request by an user. we check the memory for the request timestamp. if it is available, we increment the counter of it. if it is not available, we insert it as new record.

In that way, we don't need to store each request as a separate entry , we can group them by timestamp and maintain a counter for it.

Implmenting Sliding window Counter in Node.js App

Complete source code can be found here

Prerequisites

create a directory and initialize package.json using the following command

1npm init --yes

After that, Install Express and redis for the application using the following command

1npm i express redis moment

Redis Client is used to connect with redis server. moment is used for storing the request timestamp.

Firstly, create a file server.js and add the following code.

1const express = require("express")
2const rateLimiter = require("./slidingWindowCounter")
3const app = express()
4
5const router = express.Router()
6
7router.get("/", (req, res) => {
8 res.send("<h1>API response</h1>")
9})
10
11app.use(rateLimiter)
12app.use("/api", router)
13
14app.listen(5000, () => {
15 console.log("server is running on port 5000")
16})

Secondly, create a file slidingWindowCounter.js and add the following code.

1const redis = require("redis")
2const moment = require("moment")
3const redisClient = redis.createClient()
4
5module.exports = (req, res, next) => {
6 redisClient.exists(req.headers.user, (err, reply) => {
7 if (err) {
8 console.log("problem with redis")
9 system.exit(0)
10 }
11
12 if (reply === 1) {
13 redisClient.get(req.headers.user, (err, redisResponse) => {
14 let data = JSON.parse(redisResponse)
15
16 let currentTime = moment().unix()
17 let lessThanMinuteAgo = moment()
18 .subtract(1, "minute")
19 .unix()
20
21 let RequestCountPerMinutes = data.filter(item => {
22 return item.requestTime > lessThanMinuteAgo
23 })
24
25 let thresHold = 0
26
27 RequestCountPerMinutes.forEach(item => {
28 thresHold = thresHold + item.counter
29 })
30
31 if (thresHold >= 5) {
32 return res.json({ error: 1, message: "throttle limit exceeded" })
33 } else {
34 let isFound = false
35 data.forEach(element => {
36 if (element.requestTime) {
37 isFound = true
38 element.counter++
39 }
40 })
41 if (!isFound) {
42 data.push({
43 requestTime: currentTime,
44 counter: 1,
45 })
46 }
47
48 redisClient.set(req.headers.user, JSON.stringify(data))
49
50 next()
51 }
52 })
53 } else {
54 let data = []
55 let requestData = {
56 requestTime: moment().unix(),
57 counter: 1,
58 }
59 data.push(requestData)
60 redisClient.set(req.headers.user, JSON.stringify(data))
61
62 next()
63 }
64 })
65}
  • it checks if the user exists in redis memory, if exists, process further. if not, insert the user details with counter value and request timestamp.
  • If user already exists, it will check if count of request within the last minute exceeds the threshold. if it exceeds, server drops the request.
  • If it does not exceeds, it will increment the counter if any timestamp matches. else, it will insert .

Scalable API Rate Limiter in nodejs , Complete Source Code can be found here

Demo : https://youtu.be/qlQ5XSDFe9c

To Read More

Kubernetes for Nodejs developers

Do you keep hearing the word kubernetes in the tech community and you couldn't u...

TypeScript Interfaces vs Types

In this article, we will see what are interfaces and types and the difference be...

How to find project ideas to practi...

Ever wondered what how to get a real world experience on web development while w...

Building a Production-grade Nodejs,...

This article is the first part of building a production grade nodejs,graphql and...

Modern React Redux Tutorials with R...

This tutorial explain how you can build an application using modern react redux ...

Building a Piano with React Hooks

In this article, we will see how to build a piano with react hooks. Building a P...

TypeScript Basics - The Definitive ...

In this article, we will learn some basics of typescript which helps you to deve...

Here's why podman is more secured t...

In this article we will see about podman and why it is more secured way to run c...

What is gRPC ? How to implement gRP...

Everyone talks about gRPC. Have you ever wonder how it works or how to implement...