Rate limiting

ScaffoldHub uses https://github.com/nfriedly/express-rate-limit to limit repeated requests to the backend API.

It uses the default Memory Store, but you can easily integrate with other stores for more consistency: https://github.com/nfriedly/express-rate-limit#stores.

Global Rate Limit

The global rate limit is defined at the file: backend/src/api/index.ts .

// Default rate limiter
const defaultRateLimiter = createRateLimiter({
max: 500,
windowMs: 15 * 60 * 1000,
message: 'errors.429',
});
app.use(defaultRateLimiter);

Auth Rate Limits

Sign-in, Sign-up, Password Reset and Email Verification endpoints have a short limit and can be configured at: backend/src/api/auth/index.ts.

//...
const emailRateLimiter = createRateLimiter({
max: 6,
windowMs: 15 * 60 * 1000,
message: 'errors.429',
});
app.post(
`/auth/send-email-address-verification-email`,
emailRateLimiter,
require('./authSendEmailAddressVerificationEmail')
.default,
);
app.post(
`/auth/send-password-reset-email`,
emailRateLimiter,
require('./authSendPasswordResetEmail').default,
);
const signInRateLimiter = createRateLimiter({
max: 20,
windowMs: 15 * 60 * 1000,
message: 'errors.429',
});
app.post(
`/auth/sign-in`,
signInRateLimiter,
require('./authSignIn').default,
);
app.post(
`/tenant/:tenantId/auth/sign-in`,
signInRateLimiter,
require('./authSignIn').default,
);
const signUpRateLimiter = createRateLimiter({
max: 20,
windowMs: 60 * 60 * 1000,
message: 'errors.429',
});
app.post(
`/auth/sign-up`,
signUpRateLimiter,
require('./authSignUp').default,
);
app.post(
`/tenant/:tenantId/auth/sign-up`,
signUpRateLimiter,
require('./authSignUp').default,
);
//...
};