62 lines
1.7 KiB
JavaScript
62 lines
1.7 KiB
JavaScript
import * as log4js from '../../log4js.js'
|
|
import { getClientIp } from '../../utils.js'
|
|
|
|
/**
|
|
* 简单内存限流中间件(基于滑动窗口计数)
|
|
*
|
|
* 默认规则:
|
|
* - 注册/发验证码:每 IP 每分钟最多 5 次
|
|
* - 登录:每 IP 每分钟最多 20 次
|
|
* - 其余 /api/*:每 IP 每分钟最多 100 次
|
|
*
|
|
* 生产环境建议替换为 Redis 方案以支持多实例
|
|
*/
|
|
|
|
// Map<ip+path, [timestamps...]>
|
|
const requestMap = new Map()
|
|
|
|
// 配置:[path前缀/全路径, 时间窗口(ms), 最大请求数]
|
|
const RULES = [
|
|
['/api/register', 60_000, 5],
|
|
['/api/send_code', 60_000, 5],
|
|
['/api/login', 60_000, 20],
|
|
['/api/', 60_000, 200],
|
|
]
|
|
|
|
// 定时清理过期记录,避免内存泄漏
|
|
setInterval(() => {
|
|
const now = Date.now()
|
|
for (const [key, timestamps] of requestMap.entries()) {
|
|
const fresh = timestamps.filter(t => now - t < 60_000)
|
|
if (fresh.length === 0) requestMap.delete(key)
|
|
else requestMap.set(key, fresh)
|
|
}
|
|
}, 30_000)
|
|
|
|
export default async function rateLimiter(ctx, next) {
|
|
if (!ctx.path.startsWith('/api/')) return next()
|
|
|
|
const ip = getClientIp(ctx)
|
|
const now = Date.now()
|
|
|
|
// 匹配第一条符合的规则
|
|
const rule = RULES.find(([prefix]) => ctx.path.startsWith(prefix))
|
|
if (!rule) return next()
|
|
|
|
const [prefix, windowMs, maxReq] = rule
|
|
const key = `${ip}:${prefix}`
|
|
|
|
const timestamps = (requestMap.get(key) || []).filter(t => now - t < windowMs)
|
|
timestamps.push(now)
|
|
requestMap.set(key, timestamps)
|
|
|
|
if (timestamps.length > maxReq) {
|
|
log4js.koa.warn(`限流触发: ${ip} ${ctx.path} (${timestamps.length}/${maxReq})`)
|
|
ctx.status = 429
|
|
ctx.body = { code: 429, message: '请求过于频繁,请稍后再试!' }
|
|
return
|
|
}
|
|
|
|
return next()
|
|
}
|