indexer-service: Rate limit express server

prayagsingh · Jan 5, 2022 · e2d0ad5 · e2d0ad5
1 parent 4425576
commit e2d0ad5
Show file tree

Hide file tree

Showing 3 changed files with 1,195 additions and 840 deletions.
diff --git a/packages/indexer-service/package.json b/packages/indexer-service/package.json
@@ -42,6 +42,7 @@
     "evt": "1.9.12",
     "express": "4.17.1",
     "express-graphql": "0.9.0",
+    "express-rate-limit": "^5.5.1",
     "graphql": "15.4.0",
     "graphql-tag": "2.11.0",
     "graphql-tools": "5.0.0",
@@ -59,6 +60,7 @@
     "@types/bs58": "4.0.1",
     "@types/cors": "2.8.8",
     "@types/express": "4.17.8",
+    "@types/express-rate-limit": "^5.1.3",
     "@types/isomorphic-fetch": "0.0.35",
     "@types/jest": "26.0.15",
     "@types/morgan": "1.9.2",

diff --git a/packages/indexer-service/src/server/index.ts b/packages/indexer-service/src/server/index.ts
@@ -19,6 +19,7 @@ import {
 } from '@graphprotocol/indexer-common'
 import { createCostServer } from './cost'
 import { createOperatorServer } from './operator'
+import rateLimit from 'express-rate-limit'
 
 export interface ServerOptions {
   logger: Logger
@@ -139,6 +140,18 @@ export const createApp = async ({
 
   const app = express()
 
+  // Limit status requests to 9000/30min (5/s)
+  const slowLimiter = rateLimit({
+    windowMs: 30 * 60 * 1000, // 1 minutes
+    max: 9000,
+  })
+
+  // Limit network requests to 90000/30min (50/s)
+  const networkLimiter = rateLimit({
+    windowMs: 30 * 60 * 1000, // 1 minutes
+    max: 90000,
+  })
+
   // Log requests to the logger stream
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   app.use(morgan('tiny', { stream: loggerStream }) as any)
@@ -160,20 +173,23 @@ export const createApp = async ({
   // Endpoint for the public status API
   app.use(
     '/status',
+    networkLimiter,
     bodyParser.json(),
     await createStatusServer({ graphNodeStatusEndpoint }),
   )
 
   // Endpoint for the public cost API
   app.use(
     '/cost',
+    slowLimiter,
     bodyParser.json(),
     await createCostServer({ indexerManagementClient, metrics }),
   )
 
   // Endpoint for operator information
   app.use(
     '/operator',
+    slowLimiter,
     bodyParser.json(),
     await createOperatorServer({ operatorPublicKey }),
   )
@@ -187,6 +203,7 @@ export const createApp = async ({
     // Endpoint for network subgraph queries
     app.post(
       `/network`,
+      networkLimiter,
       bodyParser.raw({ type: 'application/json' }),
       async (req, res) => {
         try {