Ccodemod

codemod/express-rate-limiting-middleware-addition

Automatically add rate limiting middleware to Express.js route handlers that don't have existing rate limiting

transformationmigration
Public
0 downloads
0 stars
Apply to Repository
How to Use
Run this codemod on your codebase using one of the following commands

The easiest way to run this codemod without installing anything globally:

Documentation

Express Rate Limiting Middleware Addition

Automatically add rate limiting middleware to Express.js route handlers that don't have existing rate limiting protection. This helps prevent DDoS attacks and brute force attempts by adding appropriate rate limiting to API endpoints.

What it does

This codemod automatically:

  • Detects Express routes that serve API endpoints (paths starting with /api/)
  • Adds appropriate rate limiting based on the route type:
    • General API routes: 100 requests per 15 minutes
    • Authentication routes (/api/auth/, /api/login, etc.): 5 requests per 15 minutes with stricter limits
  • Imports express-rate-limit if not already present
  • Creates rate limiter configurations (apiLimiter, authLimiter) with sensible defaults
  • Preserves existing middleware by inserting rate limiting in the correct position

Before and After

Basic API Routes

Before:

javascript

After:

javascript

Authentication Routes

Before:

javascript

After:

javascript

What gets transformed

Routes that will be transformed:

  • Routes with paths starting with /api/
  • Express app and router method calls (app.get, router.post, etc.)
  • app.use calls with API paths
  • Routes without existing rate limiting

Routes that are excluded:

  • Health check endpoints (/health, /status, /ping)
  • Root path handlers (/)
  • Static file serving (express.static)
  • Routes already containing rate limiting middleware
  • Routes with // no-rate-limit or // @no-rate-limit comments
  • Routes containing rate limiting keywords (rate, limit, throttle)
  • Non-API routes (paths not starting with /api/)

Installation & Usage

bash

Requirements

  • Your project must use Express.js
  • Routes should follow the /api/ path convention for API endpoints
  • The codemod will add express-rate-limit as a dependency if not present

Configuration

The codemod uses these default rate limiting configurations:

  • API Limiter: 100 requests per 15 minutes for general API endpoints
  • Auth Limiter: 5 requests per 15 minutes for authentication endpoints with skipSuccessfulRequests: true

You can customize these limits after running the codemod by modifying the generated apiLimiter and authLimiter configurations.

Security Benefits

  • Prevents DDoS attacks by limiting request rates
  • Reduces brute force attack effectiveness with stricter auth limits
  • Improves API stability under high load
  • Follows security best practices as recommended by OWASP

Development

bash

License

MIT

Ready to contribute?

Build your own codemod and share it with the community.