Seems like DDPRateLimiter is using the wrong IP addresses?

tbonezone · October 24, 2017, 2:17am

When I tried rate limiting by IP address, it seems that DDPRateLimiter was using my upstream proxy IP address even though I had set HTTP_FORWARDED_COUNT properly. I think there is/was an off-by-1 bug in _clientAddress function in the ddp-server package in livedata_server.js? The last line was

return forwardedFor[forwardedFor.length - httpForwardedCount];

Whereas it seems like you should subtract 1 from that. I changed it, and it seems to be using the right IP address now.

tbonezone · October 24, 2017, 2:20am

A second issue is that DDPRateLimiter should not bin ipv6 addresses by the entire 128 bits because the last 64 bits are a dime an exadozen, and this is a security feature. So, you should only bin ipv6 by the first 64 bits. Obviously someone could still botnet attack you but this package can not help you there.

robfallows · October 24, 2017, 9:47am

I think you should raise these as issues on Github.

tbonezone · October 24, 2017, 10:53pm

Okay, will try that.