Rate Limiting
Introduction
Rate limiting is powered by express-rate-limit and applied in two layers:
- Global limiter in framework middleware boot (
Middleware.use(...)) - Route-level limiters via aliases (e.g. login/register throttles)
Global rate limiter
In the middleware stack, the framework applies:
TypeScript
Default app config (app/Config/rate-limit.ts):
TypeScript
This runs for all requests unless you override config.
Auth-specific throttles
Built-in stricter middlewares (lib/Auth/loginRateLimit.ts):
loginRateLimit: 20 attempts / 15 minutesregisterRateLimit: 10 attempts / 60 minutes
Kernel aliases (app/Http/kernel.ts):
loginThrottle->loginRateLimitregisterThrottle->registerRateLimit
Use them on routes through route middleware aliasing.
Route usage example
TypeScript
Response behavior
When limited, express-rate-limit returns 429 with configured message payload.
Examples from built-ins:
- login:
{ message: "Too many login attempts. Try again later." } - register:
{ message: "Too many registration attempts. Try again later." }
Tuning recommendations
- Keep a moderate global cap for general traffic.
- Apply stricter route-level limits for auth and sensitive endpoints.
- For deployments behind proxies/load balancers, validate trust-proxy behavior carefully.
Summary
- Global limit comes from
app.config.rateLimit. - Use
loginThrottle/registerThrottlealiases for auth endpoints. - All limits are built on
express-rate-limitand return 429 on excess requests.