rate_limiter.ts

In-memory sliding window rate limiter.

Tracks failed attempts per key (typically IP address) using a sliding time window. No external dependencies — state resets on server restart.

Declarations
#

7 declarations

view source

create_rate_limiter
#

rate_limiter.ts view source

(options?: Partial<RateLimiterOptions> | undefined): RateLimiter

Create a RateLimiter with sensible defaults for per-IP login protection.

options?

override individual options; unset fields use DEFAULT_LOGIN_IP_RATE_LIMIT

type Partial<RateLimiterOptions> | undefined
optional

returns

RateLimiter

DEFAULT_LOGIN_ACCOUNT_RATE_LIMIT
#

DEFAULT_LOGIN_IP_RATE_LIMIT
#

rate_limit_exceeded_response
#

rate_limiter.ts view source

(c: Context<any, any, {}>, retry_after: number): Response

Build a 429 rate-limit-exceeded JSON response with Retry-After header.

c

Hono context

type Context<any, any, {}>

retry_after

seconds until the client should retry

type number

returns

Response

a 429 Response

RateLimiter
#

rate_limiter.ts view source

In-memory sliding window rate limiter.

Stores an array of timestamps per key. On check/record, timestamps outside the window are pruned. retry_after reports seconds until the oldest active timestamp expires.

Parameters that accept RateLimiter | null (e.g. ip_rate_limiter, login_account_rate_limiter) silently disable rate limiting when null is passed — no checks are performed and all requests are allowed through.

options

type RateLimiterOptions

readonly

constructor

type new (options: RateLimiterOptions): RateLimiter

options
type RateLimiterOptions

check

Check whether key is allowed without recording an attempt.

type (key: string, now?: number): RateLimitResult

key

rate limit key (e.g. IP address)

type string
now

current timestamp in ms (defaults to Date.now())

type number
default Date.now()
returns RateLimitResult

record

Record a failed attempt for key and return the updated result.

type (key: string, now?: number): RateLimitResult

key

rate limit key (e.g. IP address)

type string
now

current timestamp in ms (defaults to Date.now())

type number
default Date.now()
returns RateLimitResult

reset

Clear all attempts for key (e.g. after successful login).

type (key: string): void

key
type string
returns void

cleanup

Remove entries whose timestamps are all outside the window.

type (now?: number): void

now

current timestamp in ms (defaults to Date.now())

type number
default Date.now()
returns void

dispose

Stop the cleanup timer. Safe to call multiple times.

type (): void

returns void

RateLimiterOptions
#

rate_limiter.ts view source

RateLimiterOptions

Configuration for a rate limiter instance.

max_attempts

Maximum allowed attempts within the window.

type number

window_ms

Sliding window duration in milliseconds.

type number

cleanup_interval_ms

Interval for pruning stale entries (0 disables the timer).

type number

RateLimitResult
#

rate_limiter.ts view source

RateLimitResult

Result of a rate limit check or record operation.

allowed

Whether the request is allowed.

type boolean

remaining

Remaining attempts before blocking.

type number

retry_after

Seconds until the oldest active attempt expires (0 if allowed).

type number

Depends on
#

Imported by
#