Upstash Support

Author: daveycodez

README.md

@@ -1,6 +1,6 @@
 # NextJS Rate Limiting Middleware
 
-Uses in-memory rate limiting for both session & IP. Doesn't require Redis, simple easy setup, and super basic protection from abuse.
+Uses in-memory rate limiting for both session & IP. Simple easy setup, and super basic protection from abuse. Now supports Upstash configuration for distributed rate limiting.
 
 # Installation
 
@@ -10,15 +10,22 @@ npm install @daveyplate/next-rate-limit
 
 # Usage
 
-Default limits are 30 requests per session within 15 seconds, and 300 requests per IP within 15 seconds (10 users)
+Default limits are 20 requests per session within 10 seconds, and 100 requests per IP within 10 seconds.
 
-```jsx
+```ts
 export function rateLimit({ 
     request, 
     response, 
-    sessionLimit = 30, 
-    ipLimit = 300, 
-    windowMs = 15 * 1000 
+    sessionLimit = 20, 
+    ipLimit = 100, 
+    sessionWindow = 10, 
+    ipWindow = 10, 
+    upstash = { 
+        enabled: false, 
+        url: process.env.UPSTASH_REDIS_REST_URL, 
+        token: '', 
+        analytics: false
+    } 
 })
 ```
 
@@ -31,14 +38,41 @@ import { rateLimit } from '@daveyplate/next-rate-limit'
 export async function middleware(request: NextRequest) {
     const response = NextResponse.next()
 
-    const rateLimitResponse = await rateLimit({ request, response })
-    if (rateLimitResponse) return rateLimitResponse
-
-    return response
+    return await rateLimit({ request, response })
 }
 
 // Apply middleware to all API routes
 export const config = {
     matcher: '/api/:path*'
 }
 ```
+
+# Upstash Configuration
+
+To enable Upstash, you can configure it using environment variables or by passing the configuration directly.
+
+## Environment Variables
+
+Set the following environment variables in your `.env` file:
+
+```
+UPSTASH_REDIS_REST_URL=<your_upstash_redis_rest_url>
+UPSTASH_REDIS_REST_TOKEN=<your_upstash_redis_rest_token>
+```
+
+## Passing Configuration Directly
+
+You can also pass the Upstash configuration directly when calling `rateLimit`:
+
+```tsx
+const rateLimitResponse = await rateLimit({ 
+    request, 
+    response, 
+    upstash: {
+        enabled: true,
+        url: '<your_upstash_redis_rest_url>',
+        token: '<your_upstash_redis_rest_token>',
+        analytics: true
+    }
+})
+```

package-lock.json

@@ -1,7 +1,7 @@
 {
   "name": "@daveyplate/next-rate-limit",
   "homepage": "https://github.com/Daveyplate/next-rate-limit",
-  "version": "1.0.10",
+  "version": "2.0.0",
   "description": "NextJS Rate Limiting Middleware",
   "module": "dist/index",
   "types": "dist/index",
@@ -24,11 +24,12 @@
   "license": "ISC",
   "devDependencies": {
     "@types/uuid": "^10.0.0",
-    "typescript": "^5.6.2",
-    "next": "file:../daveyplate/node_modules/next"
+    "next": "file:../daveyplate/node_modules/next",
+    "typescript": "^5.6.2"
   },
   "peerDependencies": {
     "next": ">=14.0.0",
-    "uuid": ">=10.0.0"
+    "uuid": ">=10.0.0",
+    "@upstash/ratelimit": ">=2.0.5"
   }
-}
+}

package.json

@@ -1,61 +1,150 @@
-import { NextResponse, NextRequest } from 'next/server'
+import { NextRequest, NextResponse } from "next/server"
+import { Duration, Ratelimit } from "@upstash/ratelimit"
+
+import { Redis } from "@upstash/redis"
 import { cookies } from 'next/headers'
 import { v4 as uuidv4 } from 'uuid'
 
 const rateLimitMap = new Map<string, number[]>()
 
+let redis: Redis
+let sessionRatelimit: Ratelimit
+let ipRatelimit: Ratelimit
+let currentConfig: any = {}
+
+function initialize({ sessionLimit, sessionWindow, ipLimit, ipWindow, upstash }: Partial<RateLimitOptions>) {
+    const { url, token, analytics } = upstash!
+
+    const config = {
+        sessionLimit,
+        sessionWindow,
+        ipLimit,
+        ipWindow,
+        upstash
+    }
+
+    if (!redis || JSON.stringify(config) !== JSON.stringify(currentConfig)) {
+        currentConfig = config
+
+        redis = new Redis({
+            url: url,
+            token: token,
+        })
+
+        sessionRatelimit = new Ratelimit({
+            redis,
+            limiter: Ratelimit.slidingWindow(sessionLimit!, `${sessionWindow} s` as Duration),
+            analytics
+        })
+
+        ipRatelimit = new Ratelimit({
+            redis,
+            limiter: Ratelimit.slidingWindow(ipLimit!, `${ipWindow} s` as Duration),
+            analytics
+        })
+    }
+}
+
+interface RateLimitOptions {
+    request: NextRequest
+    response: NextResponse
+    sessionLimit?: number
+    ipLimit?: number
+    sessionWindow?: number
+    ipWindow?: number
+    upstash?: {
+        enabled?: boolean
+        url?: string
+        token?: string
+        analytics?: boolean
+    }
+    windowMs?: number
+}
 
 /**
  * This middleware is used to rate limit requests based
  * on IP address and session ID. Returns NextResponse with 
  * 429 status code if the rate limit is exceeded.
- * @param {object} options - Rate limiting options.
- * @param {NextRequest} options.request - Incoming request object.
+ * @param {RateLimitOptions} options - Rate limiting options.
+ * @param {NextRequest} options.request - NextRequest object.
  * @param {NextResponse} options.response - NextResponse object.
- * @param {number} [options.sessionLimit=30] - Number of requests allowed per session in the window.
- * @param {number} [options.ipLimit=300] - Number of requests allowed per IP in the window.
- * @param {number} [options.windowMs=15000] - Time window in milliseconds.
+ * @param {number} [options.sessionLimit=20] - Number of requests allowed per session in the window.
+ * @param {number} [options.ipLimit=100] - Number of requests allowed per IP in the window.
+ * @param {number} [options.sessionWindow=10] - Window in seconds for session rate limiting.
+ * @param {number} [options.ipWindow=10] - Window in seconds for IP rate limiting.
+ * @param {object} [options.upstash] - Upstash Redis configuration.
+ * @param {boolean} [options.upstash.enabled] - Enable Upstash Redis rate limiting.
+ * @param {string} [options.upstash.url] - Upstash Redis REST URL.
+ * @param {string} [options.upstash.token] - Upstash Redis REST token.
+ * @param {boolean} [options.upstash.analytics] - Enable analytics for rate limiting.
  */
 export async function rateLimit({
     request,
     response,
-    sessionLimit = 30,
-    ipLimit = 300,
-    windowMs = 15 * 1000
-}: { request: NextRequest; response: NextResponse; sessionLimit?: number; ipLimit?: number; windowMs?: number }) {
-    const ip = request.headers.get("x-forwarded-for") || request.headers.get("x-real-ip")
+    sessionLimit = 20,
+    ipLimit = 100,
+    sessionWindow = 10,
+    ipWindow = 10,
+    upstash = {},
+    windowMs,
+}: RateLimitOptions) {
+    const errorResponse = NextResponse.json({ message: "Too Many Requests" }, { status: 429 })
+
+    const ip = request.headers.get('x-forwarded-for')?.split(',')[0] || '127.0.0.1'
     let sessionId = (await cookies()).get('session_id')?.value
 
     if (!sessionId) {
         sessionId = uuidv4()
         response.cookies.set("session_id", sessionId)
     }
 
-    // Check IP rate limit
-    if (ip && handleRateLimiting(ip, ipLimit, windowMs)) {
-        const response = { message: "Too Many Requests" }
-        console.warn(`Rate limit exceeded for IP: ${ip}`)
-        return new NextResponse(JSON.stringify(response), {
-            status: 429,
-            headers: {
-                "Content-Type": "application/json"
+    upstash.url = upstash.url || process.env.UPSTASH_REDIS_REST_URL
+    upstash.token = upstash.token || process.env.UPSTASH_REDIS_REST_TOKEN
+
+    // Merge defaults with provided config
+    if (upstash.enabled && upstash.url && upstash.token) {
+        initialize({
+            sessionLimit,
+            sessionWindow,
+            ipLimit,
+            ipWindow,
+            upstash: {
+                url: upstash.url,
+                token: upstash.token,
             }
         })
+
+        const { success, pending, limit, reset, remaining } =
+            await sessionRatelimit.limit(sessionId)
+
+        if (!success) {
+            console.warn(`Rate limit exceeded for session ID: ${sessionId}`)
+            return errorResponse
+        }
+
+        const { success: ipSuccess } = await ipRatelimit.limit(ip)
+
+        if (!ipSuccess) {
+            console.warn(`Rate limit exceeded for IP: ${ip}`)
+            return errorResponse
+        }
+
+        return response
+    }
+
+    // Check IP rate limit
+    if (ip && handleRateLimiting(ip, ipLimit, windowMs || ipWindow * 1000)) {
+        console.warn(`Rate limit exceeded for IP: ${ip}`)
+        return errorResponse
     }
 
     // Check session rate limit
-    if (handleRateLimiting(sessionId, sessionLimit, windowMs)) {
-        const response = { message: "Too Many Requests" }
+    if (handleRateLimiting(sessionId, sessionLimit, windowMs || sessionWindow * 1000)) {
         console.warn(`Rate limit exceeded for session ID: ${sessionId}`)
-        return new NextResponse(JSON.stringify(response), {
-            status: 429,
-            headers: {
-                "Content-Type": "application/json"
-            }
-        })
+        return errorResponse
     }
 
-    return null
+    return response
 }
 
 export function handleRateLimiting(key: string, limit: number, windowMs: number) {
@@ -81,4 +170,4 @@ export function handleRateLimiting(key: string, limit: number, windowMs: number)
     // Add the current timestamp to the list
     validTimestamps.push(currentTime)
     return false
-}
+}