lower rate limit in production much higher in dev and test (#25688)

peterbe · web-flow · commit bada144c3675 · 2022-02-28T16:58:48.000-05:00
* lower rate limit in production much higher in dev and test

* custom rate limit for browser tests

* feedbacked
diff --git a/docker-compose.prod.tmpl.yaml b/docker-compose.prod.tmpl.yaml
@@ -16,6 +16,7 @@ services:
       HEROKU_APP_NAME: ${HEROKU_APP_NAME}
       ENABLED_LANGUAGES: ${ENABLED_LANGUAGES}
       DEPLOYMENT_ENV: ${DEPLOYMENT_ENV}
+      RATE_LIMIT_MAX: ${RATE_LIMIT_MAX}
       HEROKU_PRODUCTION_APP: true
       PORT: 4000
       DD_AGENT_HOST: datadog-agent
diff --git a/middleware/rate-limit.js b/middleware/rate-limit.js
@@ -3,6 +3,11 @@ import statsd from '../lib/statsd.js'
 
 const EXPIRES_IN_AS_SECONDS = 60
 
+const MAX = process.env.RATE_LIMIT_MAX ? parseInt(process.env.RATE_LIMIT_MAX, 10) : 1000
+if (isNaN(MAX)) {
+  throw new Error(`process.env.RATE_LIMIT_MAX (${process.env.RATE_LIMIT_MAX}) not a number`)
+}
+
 export default rateLimit({
   // 1 minute
   windowMs: EXPIRES_IN_AS_SECONDS * 1000,
@@ -13,7 +18,7 @@ export default rateLimit({
   // by the current number of instances.
   // We have see DDoS attempts against prod that hits the `/` endpoint
   // (and not following the redirect to `/en`) at roughly 200k per minute.
-  max: process.env.NODE_ENV === 'test' ? 1000 : 100,
+  max: MAX,
 
   // Return rate limit info in the `RateLimit-*` headers
   standardHeaders: true,
