 Hey, welcome everybody, my name is Roddy and today we're going to look at rate limiting, which is a strategy for limiting network traffic. It limits how often someone can repeat an action within a certain time frame like logging into an account. It can protect against API endpoint overuse and also malicious bot activity, Brute post attacks, DDoS, Wiperscraping, etc. Hey, welcome everybody. I've already created a brand new project folder called Rate Limit Tutorial. An insight here is where we're going to initialize a new project. On Windows, you can do left shift, right click and open in terminal or PowerShell, whatever you prefer. And then essentially this is going to CD to the current folder that I'm in, the Rate Limit Tutorial folder, which is located in my desktop. If you're unable to do this, you can actually CD to your project folder using the CD command and just make sure you navigate to the folder that you want to initialize your project. In order to initialize a new project, we can do MPM in it, then dash Y in order to skip all the questions, such as the name, version description and so on. This creates a very basic package.json file inside the project folder in here, as you can see. And now we can install the packages that we need by doing MPM, I for install and then express and then express dash rate dash limit. And this is going to install the packages. Let's clear this super quickly and let's install the last thing, which is going to be the node one. So MPM I for install and then dash dash save dash death and then node one node one is a development dependency. And that's why I'm putting the dash dash save depth and node one essentially is going to restart the server for us every time we make a change instead of doing the restarting manually. Now let's open the project in VGTD code by doing code dot or you can open your code editor and just go to file and open folder and for me, this is a rate limit tutorial folder. So now inside the explorer here, you will see that we have the package.json file that we just created and we have the dependencies that we installed such as the express and express rate limit. We also have the development dependency node money here, which I want to use. So we know that to be able to use this, we can go in the script and just after the test line, let's put a comma and let's create another line and let's call this one start and then column and then inside here, we say no one and then app.js. So we want to start application with no one and or application is called app.js, which we're going to create now. So let's save this and close the package.json file. Go to the explorer here and let's create any file and this is going to be called app.js. So now that we've created this, open it and let's close the explorer so we can focus on it. The first thing that we need to do is create a very basic express server. Let's start with creating an express server. So const express equals require and then we require express inside here. Now we need to initialize a new express application and to do this, we can do const app equals express and this basically creates a new express application and now we can give it a port number const port and this port number, for example, can be 5000 as we just develop it locally. This is going to be absolutely fine and then what we want to do is app.listen and we want to listen on this port number or 5000 here and then we're going to do comma and this is going to be another function like so and it's going to say console.info and then in slanted single quotes, we are going to do app listening on port and then with the dollar sign and curly brackets, we're going to pull the variable from here, the const and put it inside here. Save. This is pretty much how you create a very basic express application. Now let's run this. So I'm going to go back to the PowerShell in this case and as long as we are CD to this folder, I can do NPM and then start. This is going to start application and as you can see, Node 1 starts the app.js file and is listening for changes, which is great. Also the app is listening on port 5000, which means that we view it in the browser. If I open a browser super quickly and let's go to the port of 5000, you will see that we're getting cannot get and slash. This is because we don't have any routes created just yet. So let's create the first one to go back inside here. I'm going to create a dummy REST API route. So let's say app.get and inside here, let's say this is going to be an API and we have an version one, for example, it doesn't really matter too much. So let's put a comma and this is going to be a function that is going to take the request and the response and in curly brackets is where we're going to respond. So we're going to do response.json and inside here, we can just put some dummy data. For example, I'm going to copy, for example, we can do something like this. Maybe we can just do an idea of one title, Node.js description, JavaScript runtime built on Chrome's via JavaScript engine. This is just an example. If we save this and if you go under API V1 now, so we are in the localhost of 5000 and then we do API slash API V1, you will see that we're getting the raw JSON file here with the ID of one title and so on. All right. Now let's have a look at how we can use the rate limit. Let's create any cons here at the top and say rate limit like so. And this is going to be because require and then we require the express rate limit like so. Now, in order to be able to use it, we can set up a few basic options. So for example, under the port here, let's make some space and let's say now we create any cons with the limiter name. And now inside here, we can grab the rate limit and give it a few options inside Kelly bracket. Now, the first option inside here is called window MS and this is essentially the minutes. The timeframe for each request are checked and remembered. So for example, let's say 15 times 60 and then times 1000. This is going to give you a 15 minutes interval. We also need to give it a max number. So through this, we're going to do max or five. So we can do maximum five requests in this timeframe here, of course, give it whatever you like. And this is going to limit each IP to five requests like so. So this is a very basic usage of this. And now in order to use this on all the routes that we have at the moment, we only have one. But if you had more route, and if you wanted to kind of like use it globally, what you can do is inside here, you can do app.use and then we can just put the limiter here like so. And now this is going to work on pretty much every route that we create. So let me save this. And let me show you what I mean and let's refresh this. So one, two, three, four, five. And now on the sixth time, we're getting too many requests, please try again later. Now we could also change this message if you wish. Inside the options, we can do another one. As long as you have come in here, we can do message. And for the message, I'm going to paste too many API requests from this IP. Please try again after 15 minutes. Save this. And now every time I save, by the way, it's restarting the actual server here. So it's not going to remember what happened. So if I refresh the page now, it's going to show me the original API. And now I need to refresh it a few more times. So one, two, three, four, five, two, many API requests from this IP. Try again in 15 minutes. Now as long as I don't refresh the actual application, I need to wait 15 minutes in order to be able to see the actual API, which is great. Now let me show you how we can do this for a specific route, for example. Let's say that we had a different route. I'm going to copy this and paste it inside here. And instead of having an API V1, let's say, for example, that you had a slash login page and instead of res.json, let's do res.send. And let's send something like imaginary login, imaginary login form. So if I go to login now, like so, imaginary login form. And if I do five times, one, two, three, four, five, here we go. Too many API requests. So this is working on all routes. And now let's say that I want to only limit the API here. In order to do this, let's comment this out so you can have as an example. And let's copy and paste it in here. Inside here, we can give it the route that we want. So comma, and then we can do slash API. So all the API routes that we have are going to be limited to this to 15 minutes and only five times. Let me save this and let's go back. Essentially, the login should be working now. I'm going to press enter imaginary login form is here. And let's say you're pressing F5. As you can see, the login form is working. But if I go to V2 API, V1, and if I press it a couple of times, this is going to be blocked. Perfect. Now let's say that we wanted to make a specific one for the login. So let's go back to log in super quickly. Here we go. Imaginary login form. And let's say you want to limit this as well, just so people are not trying to log in too many times. Let's say there is a bot that is just trying and trying and trying. We want to limit this and make it a little bit more specific. For example, I can copy this and I can give it a different name. We can maybe give this a login account limiter like so. And I can copy the accounts from here and paste it just here between the function as a middle where so I can do another comma and paste in here. And instead of doing too many API requests, let's say, I don't know, something else, try again after 15 minutes. Of course, you can change the numbers, but this is very specific to the login page. Now let's say, and if we go back, we have the imaginary login form. Let's say somebody keeps trying to log in. It could be a malicious user. It could be a bot, whatever. And now if we do one, two, three, four, five, six, try again after 15 minutes. And now they can't do anything. The last thing that I wanted to show you is that if you do right click and inspect, you will see on the network and we need to refresh now. You will see that if I click on the login page here, let me zoom in. Okay, I can't move this anymore, but inside here, if we look at the response headers, you will see that we have a couple of new headers such as the X rate limit, which is set to five that we've put in the code. And we have the X rate limit remaining, which is now set to zero. And we have the X rate limit reset. Now you can disable those headers, but they can be also super helpful if you're building your application. And I just wanted to mention this. If I reset the application super quickly, so I'm making a change, let me save it. And yep, that crashed, but it's now again listening, which is great. And if I refresh the page, you will see that on the login form, we have some around here. We have a X rate limit remaining four. If I refresh it, we should have three, two, and then one, and then that's pretty much it. And now it's gonna break on the last one. Here we go. We have remaining zero. So refresh and try it again after 50 minutes. And that's pretty much it. There are a lot more options that you can use. Head to npmjs.com slash packages express dash rate dash limit. And have a look at some of the options. There's some pretty good ones in here. For example, you have functions such as on limit reach, on skip. You can allow IP lists, request successful. There is a lot of options basically that you can use. Have a look and that's pretty much it. There are a lot more options that you can use. Have a look at the official documentation. And now that you know about it, I guess that you can always Google and find the stuff that you need. That's pretty much everything from this tutorial. I hope that you liked it. I hope that you found it useful. Consider subscribing to my channel and like this video. Thank you very much for watching.