feat: add rate limit to web endpoints (#2799)

* feat: add rate limit to web endpoints * fix: types express conflict * fix: undefined issue * fix: tests
2025-03-25 02:32:52 -05:00 · 2021-12-23 17:35:31 +01:00 · 2021-12-23 17:35:31 +01:00 · c91d6beb8b
commit c91d6beb8b
parent b2b3804f87
34 changed files with 451 additions and 69 deletions
--- a/.pnp.js
+++ b/.pnp.js
@ -64,7 +64,9 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
            ["@commitlint/config-conventional", "npm:12.1.4"],
            ["@octokit/rest", "npm:18.6.0"],
            ["@types/async", "npm:3.2.9"],
-            ["@types/express", "npm:4.17.6"],
+            ["@types/express", "npm:4.17.11"],
+            ["@types/express-rate-limit", "npm:5.1.3"],
+            ["@types/express-serve-static-core", "npm:4.17.19"],
            ["@types/http-errors", "npm:1.8.1"],
            ["@types/jest", "npm:26.0.14"],
            ["@types/lodash", "npm:4.14.167"],
@ -109,7 +111,8 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
            ["eslint-plugin-jest", "virtual:7f7b3df50ee4b7b1719ad19fad11505dc2788f3227a7e5cc9ca19f71d8cb309c9d33b532ea2b2b60ab65abf6cc12153df4643c5e6e17d01ea0ae0492723bb4b4#npm:24.3.6"],
            ["eslint-plugin-simple-import-sort", "virtual:7f7b3df50ee4b7b1719ad19fad11505dc2788f3227a7e5cc9ca19f71d8cb309c9d33b532ea2b2b60ab65abf6cc12153df4643c5e6e17d01ea0ae0492723bb4b4#npm:7.0.0"],
            ["eslint-plugin-verdaccio", "npm:9.6.1"],
-            ["express", "npm:4.17.1"],
+            ["express", "npm:4.17.2"],
+            ["express-rate-limit", "npm:5.5.1"],
            ["fast-safe-stringify", "npm:2.0.8"],
            ["fs-extra", "npm:10.0.0"],
            ["handlebars", "npm:4.7.7"],
@ -4495,23 +4498,54 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
        }]
      ]],
      ["@types/express", [
-        ["npm:4.17.6", {
-          "packageLocation": "./.yarn/cache/@types-express-npm-4.17.6-e48d33b003-45e31c66a0.zip/node_modules/@types/express/",
+        ["npm:4.17.11", {
+          "packageLocation": "./.yarn/cache/@types-express-npm-4.17.11-1b3f17f056-2818120a0f.zip/node_modules/@types/express/",
          "packageDependencies": [
-            ["@types/express", "npm:4.17.6"],
+            ["@types/express", "npm:4.17.11"],
            ["@types/body-parser", "npm:1.19.0"],
-            ["@types/express-serve-static-core", "npm:4.17.13"],
+            ["@types/express-serve-static-core", "npm:4.17.26"],
            ["@types/qs", "npm:6.9.5"],
-            ["@types/serve-static", "npm:1.13.5"]
+            ["@types/serve-static", "npm:1.13.9"]
+          ],
+          "linkType": "HARD",
+        }],
+        ["npm:4.17.13", {
+          "packageLocation": "./.yarn/cache/@types-express-npm-4.17.13-0e12fe9c24-9f17da703d.zip/node_modules/@types/express/",
+          "packageDependencies": [
+            ["@types/express", "npm:4.17.13"],
+            ["@types/body-parser", "npm:1.19.0"],
+            ["@types/express-serve-static-core", "npm:4.17.26"],
+            ["@types/qs", "npm:6.9.5"],
+            ["@types/serve-static", "npm:1.13.9"]
+          ],
+          "linkType": "HARD",
+        }]
+      ]],
+      ["@types/express-rate-limit", [
+        ["npm:5.1.3", {
+          "packageLocation": "./.yarn/cache/@types-express-rate-limit-npm-5.1.3-9d611672fc-4b9d7d7bbb.zip/node_modules/@types/express-rate-limit/",
+          "packageDependencies": [
+            ["@types/express-rate-limit", "npm:5.1.3"],
+            ["@types/express", "npm:4.17.13"]
          ],
          "linkType": "HARD",
        }]
      ]],
      ["@types/express-serve-static-core", [
-        ["npm:4.17.13", {
-          "packageLocation": "./.yarn/cache/@types-express-serve-static-core-npm-4.17.13-864c105004-6db6f2e0eb.zip/node_modules/@types/express-serve-static-core/",
+        ["npm:4.17.19", {
+          "packageLocation": "./.yarn/cache/@types-express-serve-static-core-npm-4.17.19-3f514f7e12-b6c8c357c5.zip/node_modules/@types/express-serve-static-core/",
          "packageDependencies": [
-            ["@types/express-serve-static-core", "npm:4.17.13"],
+            ["@types/express-serve-static-core", "npm:4.17.19"],
+            ["@types/node", "npm:12.12.21"],
+            ["@types/qs", "npm:6.9.5"],
+            ["@types/range-parser", "npm:1.2.3"]
+          ],
+          "linkType": "HARD",
+        }],
+        ["npm:4.17.26", {
+          "packageLocation": "./.yarn/cache/@types-express-serve-static-core-npm-4.17.26-e4eb025705-0026cc244f.zip/node_modules/@types/express-serve-static-core/",
+          "packageDependencies": [
+            ["@types/express-serve-static-core", "npm:4.17.26"],
            ["@types/node", "npm:12.12.21"],
            ["@types/qs", "npm:6.9.5"],
            ["@types/range-parser", "npm:1.2.3"]
@ -4615,10 +4649,10 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
        }]
      ]],
      ["@types/mime", [
-        ["npm:2.0.1", {
-          "packageLocation": "./.yarn/cache/@types-mime-npm-2.0.1-1018885da5-61a328979f.zip/node_modules/@types/mime/",
+        ["npm:1.3.2", {
+          "packageLocation": "./.yarn/cache/@types-mime-npm-1.3.2-ea71878ab3-c354bc1356.zip/node_modules/@types/mime/",
          "packageDependencies": [
-            ["@types/mime", "npm:2.0.1"]
+            ["@types/mime", "npm:1.3.2"]
          ],
          "linkType": "HARD",
        }],
@ -4765,12 +4799,12 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
        }]
      ]],
      ["@types/serve-static", [
-        ["npm:1.13.5", {
-          "packageLocation": "./.yarn/cache/@types-serve-static-npm-1.13.5-9e6c8c7261-1d4e222e24.zip/node_modules/@types/serve-static/",
+        ["npm:1.13.9", {
+          "packageLocation": "./.yarn/cache/@types-serve-static-npm-1.13.9-59107a68c3-f261127514.zip/node_modules/@types/serve-static/",
          "packageDependencies": [
-            ["@types/serve-static", "npm:1.13.5"],
-            ["@types/express-serve-static-core", "npm:4.17.13"],
-            ["@types/mime", "npm:2.0.1"]
+            ["@types/serve-static", "npm:1.13.9"],
+            ["@types/mime", "npm:1.3.2"],
+            ["@types/node", "npm:12.12.21"]
          ],
          "linkType": "HARD",
        }]
@ -7254,6 +7288,14 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
            ["safe-buffer", "npm:5.1.2"]
          ],
          "linkType": "HARD",
+        }],
+        ["npm:0.5.4", {
+          "packageLocation": "./.yarn/cache/content-disposition-npm-0.5.4-2d93678616-44169dbbfd.zip/node_modules/content-disposition/",
+          "packageDependencies": [
+            ["content-disposition", "npm:0.5.4"],
+            ["safe-buffer", "npm:5.2.1"]
+          ],
+          "linkType": "HARD",
        }]
      ]],
      ["content-type", [
@ -7533,6 +7575,13 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
            ["cookie", "npm:0.4.0"]
          ],
          "linkType": "HARD",
+        }],
+        ["npm:0.4.1", {
+          "packageLocation": "./.yarn/cache/cookie-npm-0.4.1-cc5e2ebb42-b8e0928e3e.zip/node_modules/cookie/",
+          "packageDependencies": [
+            ["cookie", "npm:0.4.1"]
+          ],
+          "linkType": "HARD",
        }]
      ]],
      ["cookie-signature", [
@ -9215,6 +9264,52 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
            ["vary", "npm:1.1.2"]
          ],
          "linkType": "HARD",
+        }],
+        ["npm:4.17.2", {
+          "packageLocation": "./.yarn/cache/express-npm-4.17.2-fd936fc165-dc1fdb3f85.zip/node_modules/express/",
+          "packageDependencies": [
+            ["express", "npm:4.17.2"],
+            ["accepts", "npm:1.3.7"],
+            ["array-flatten", "npm:1.1.1"],
+            ["body-parser", "npm:1.19.1"],
+            ["content-disposition", "npm:0.5.4"],
+            ["content-type", "npm:1.0.4"],
+            ["cookie", "npm:0.4.1"],
+            ["cookie-signature", "npm:1.0.6"],
+            ["debug", "virtual:ae102dea05b4b2ebd9bdb80ced6eae9dd1d5d0a01169a09e64f91ba0eaff40dd1ecea932caa116db48e3827effae497584f77413673ec5b9dee75f172d589beb#npm:2.6.9"],
+            ["depd", "npm:1.1.2"],
+            ["encodeurl", "npm:1.0.2"],
+            ["escape-html", "npm:1.0.3"],
+            ["etag", "npm:1.8.1"],
+            ["finalhandler", "npm:1.1.2"],
+            ["fresh", "npm:0.5.2"],
+            ["merge-descriptors", "npm:1.0.1"],
+            ["methods", "npm:1.1.2"],
+            ["on-finished", "npm:2.3.0"],
+            ["parseurl", "npm:1.3.3"],
+            ["path-to-regexp", "npm:0.1.7"],
+            ["proxy-addr", "npm:2.0.7"],
+            ["qs", "npm:6.9.6"],
+            ["range-parser", "npm:1.2.1"],
+            ["safe-buffer", "npm:5.2.1"],
+            ["send", "npm:0.17.2"],
+            ["serve-static", "npm:1.14.2"],
+            ["setprototypeof", "npm:1.2.0"],
+            ["statuses", "npm:1.5.0"],
+            ["type-is", "npm:1.6.18"],
+            ["utils-merge", "npm:1.0.1"],
+            ["vary", "npm:1.1.2"]
+          ],
+          "linkType": "HARD",
+        }]
+      ]],
+      ["express-rate-limit", [
+        ["npm:5.5.1", {
+          "packageLocation": "./.yarn/cache/express-rate-limit-npm-5.5.1-3af8247282-445fc5b6bc.zip/node_modules/express-rate-limit/",
+          "packageDependencies": [
+            ["express-rate-limit", "npm:5.5.1"]
+          ],
+          "linkType": "HARD",
        }]
      ]],
      ["ext", [
@ -9654,6 +9749,13 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
            ["forwarded", "npm:0.1.2"]
          ],
          "linkType": "HARD",
+        }],
+        ["npm:0.2.0", {
+          "packageLocation": "./.yarn/cache/forwarded-npm-0.2.0-6473dabe35-1e84548d8f.zip/node_modules/forwarded/",
+          "packageDependencies": [
+            ["forwarded", "npm:0.2.0"]
+          ],
+          "linkType": "HARD",
        }]
      ]],
      ["fragment-cache", [
@ -10638,6 +10740,13 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
            ["ipaddr.js", "npm:1.9.0"]
          ],
          "linkType": "HARD",
+        }],
+        ["npm:1.9.1", {
+          "packageLocation": "./.yarn/cache/ipaddr.js-npm-1.9.1-19ae7878b4-de15bc7e63.zip/node_modules/ipaddr.js/",
+          "packageDependencies": [
+            ["ipaddr.js", "npm:1.9.1"]
+          ],
+          "linkType": "HARD",
        }]
      ]],
      ["is-accessor-descriptor", [
@ -13102,6 +13211,13 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
            ["ms", "npm:2.1.2"]
          ],
          "linkType": "HARD",
+        }],
+        ["npm:2.1.3", {
+          "packageLocation": "./.yarn/cache/ms-npm-2.1.3-81ff3cfac1-6e721e648a.zip/node_modules/ms/",
+          "packageDependencies": [
+            ["ms", "npm:2.1.3"]
+          ],
+          "linkType": "HARD",
        }]
      ]],
      ["mute-stream", [
@ -14363,6 +14479,15 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
            ["ipaddr.js", "npm:1.9.0"]
          ],
          "linkType": "HARD",
+        }],
+        ["npm:2.0.7", {
+          "packageLocation": "./.yarn/cache/proxy-addr-npm-2.0.7-dae6552872-ad78682246.zip/node_modules/proxy-addr/",
+          "packageDependencies": [
+            ["proxy-addr", "npm:2.0.7"],
+            ["forwarded", "npm:0.2.0"],
+            ["ipaddr.js", "npm:1.9.1"]
+          ],
+          "linkType": "HARD",
        }]
      ]],
      ["proxy-from-env", [
@ -15204,6 +15329,13 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
            ["safe-buffer", "npm:5.2.0"]
          ],
          "linkType": "HARD",
+        }],
+        ["npm:5.2.1", {
+          "packageLocation": "./.yarn/cache/safe-buffer-npm-5.2.1-3481c8aa9b-0bb57f0d8f.zip/node_modules/safe-buffer/",
+          "packageDependencies": [
+            ["safe-buffer", "npm:5.2.1"]
+          ],
+          "linkType": "HARD",
        }]
      ]],
      ["safe-regex", [
@ -15365,6 +15497,26 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
            ["statuses", "npm:1.5.0"]
          ],
          "linkType": "HARD",
+        }],
+        ["npm:0.17.2", {
+          "packageLocation": "./.yarn/cache/send-npm-0.17.2-73a3dbeba6-b47bfc0b79.zip/node_modules/send/",
+          "packageDependencies": [
+            ["send", "npm:0.17.2"],
+            ["debug", "virtual:ae102dea05b4b2ebd9bdb80ced6eae9dd1d5d0a01169a09e64f91ba0eaff40dd1ecea932caa116db48e3827effae497584f77413673ec5b9dee75f172d589beb#npm:2.6.9"],
+            ["depd", "npm:1.1.2"],
+            ["destroy", "npm:1.0.4"],
+            ["encodeurl", "npm:1.0.2"],
+            ["escape-html", "npm:1.0.3"],
+            ["etag", "npm:1.8.1"],
+            ["fresh", "npm:0.5.2"],
+            ["http-errors", "npm:1.8.1"],
+            ["mime", "npm:1.6.0"],
+            ["ms", "npm:2.1.3"],
+            ["on-finished", "npm:2.3.0"],
+            ["range-parser", "npm:1.2.1"],
+            ["statuses", "npm:1.5.0"]
+          ],
+          "linkType": "HARD",
        }]
      ]],
      ["serve-static", [
@ -15378,6 +15530,17 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
            ["send", "npm:0.17.1"]
          ],
          "linkType": "HARD",
+        }],
+        ["npm:1.14.2", {
+          "packageLocation": "./.yarn/cache/serve-static-npm-1.14.2-3ce50bb5ff-5a38fdf841.zip/node_modules/serve-static/",
+          "packageDependencies": [
+            ["serve-static", "npm:1.14.2"],
+            ["encodeurl", "npm:1.0.2"],
+            ["escape-html", "npm:1.0.3"],
+            ["parseurl", "npm:1.3.3"],
+            ["send", "npm:0.17.2"]
+          ],
+          "linkType": "HARD",
        }]
      ]],
      ["set-blocking", [
@ -17058,7 +17221,9 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
            ["@commitlint/config-conventional", "npm:12.1.4"],
            ["@octokit/rest", "npm:18.6.0"],
            ["@types/async", "npm:3.2.9"],
-            ["@types/express", "npm:4.17.6"],
+            ["@types/express", "npm:4.17.11"],
+            ["@types/express-rate-limit", "npm:5.1.3"],
+            ["@types/express-serve-static-core", "npm:4.17.19"],
            ["@types/http-errors", "npm:1.8.1"],
            ["@types/jest", "npm:26.0.14"],
            ["@types/lodash", "npm:4.14.167"],
@ -17103,7 +17268,8 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) {
            ["eslint-plugin-jest", "virtual:7f7b3df50ee4b7b1719ad19fad11505dc2788f3227a7e5cc9ca19f71d8cb309c9d33b532ea2b2b60ab65abf6cc12153df4643c5e6e17d01ea0ae0492723bb4b4#npm:24.3.6"],
            ["eslint-plugin-simple-import-sort", "virtual:7f7b3df50ee4b7b1719ad19fad11505dc2788f3227a7e5cc9ca19f71d8cb309c9d33b532ea2b2b60ab65abf6cc12153df4643c5e6e17d01ea0ae0492723bb4b4#npm:7.0.0"],
            ["eslint-plugin-verdaccio", "npm:9.6.1"],
-            ["express", "npm:4.17.1"],
+            ["express", "npm:4.17.2"],
+            ["express-rate-limit", "npm:5.5.1"],
            ["fast-safe-stringify", "npm:2.0.8"],
            ["fs-extra", "npm:10.0.0"],
            ["handlebars", "npm:4.7.7"],
--- a/.yarn/cache/@types-express-npm-4.17.11-1b3f17f056-2818120a0f.zip
+++ b/.yarn/cache/@types-express-npm-4.17.11-1b3f17f056-2818120a0f.zip
--- a/.yarn/cache/@types-express-npm-4.17.13-0e12fe9c24-9f17da703d.zip
+++ b/.yarn/cache/@types-express-npm-4.17.13-0e12fe9c24-9f17da703d.zip
--- a/.yarn/cache/@types-express-npm-4.17.6-e48d33b003-45e31c66a0.zip
+++ b/.yarn/cache/@types-express-npm-4.17.6-e48d33b003-45e31c66a0.zip
--- a/.yarn/cache/@types-express-rate-limit-npm-5.1.3-9d611672fc-4b9d7d7bbb.zip
+++ b/.yarn/cache/@types-express-rate-limit-npm-5.1.3-9d611672fc-4b9d7d7bbb.zip
--- a/.yarn/cache/@types-express-serve-static-core-npm-4.17.13-864c105004-6db6f2e0eb.zip
+++ b/.yarn/cache/@types-express-serve-static-core-npm-4.17.13-864c105004-6db6f2e0eb.zip
--- a/.yarn/cache/@types-express-serve-static-core-npm-4.17.19-3f514f7e12-b6c8c357c5.zip
+++ b/.yarn/cache/@types-express-serve-static-core-npm-4.17.19-3f514f7e12-b6c8c357c5.zip
--- a/.yarn/cache/@types-express-serve-static-core-npm-4.17.26-e4eb025705-0026cc244f.zip
+++ b/.yarn/cache/@types-express-serve-static-core-npm-4.17.26-e4eb025705-0026cc244f.zip
--- a/.yarn/cache/@types-mime-npm-1.3.2-ea71878ab3-c354bc1356.zip
+++ b/.yarn/cache/@types-mime-npm-1.3.2-ea71878ab3-c354bc1356.zip
--- a/.yarn/cache/@types-mime-npm-2.0.1-1018885da5-61a328979f.zip
+++ b/.yarn/cache/@types-mime-npm-2.0.1-1018885da5-61a328979f.zip
--- a/.yarn/cache/@types-serve-static-npm-1.13.5-9e6c8c7261-1d4e222e24.zip
+++ b/.yarn/cache/@types-serve-static-npm-1.13.5-9e6c8c7261-1d4e222e24.zip
--- a/.yarn/cache/@types-serve-static-npm-1.13.9-59107a68c3-f261127514.zip
+++ b/.yarn/cache/@types-serve-static-npm-1.13.9-59107a68c3-f261127514.zip
--- a/.yarn/cache/content-disposition-npm-0.5.4-2d93678616-44169dbbfd.zip
+++ b/.yarn/cache/content-disposition-npm-0.5.4-2d93678616-44169dbbfd.zip
--- a/.yarn/cache/cookie-npm-0.4.1-cc5e2ebb42-b8e0928e3e.zip
+++ b/.yarn/cache/cookie-npm-0.4.1-cc5e2ebb42-b8e0928e3e.zip
--- a/.yarn/cache/express-npm-4.17.2-fd936fc165-dc1fdb3f85.zip
+++ b/.yarn/cache/express-npm-4.17.2-fd936fc165-dc1fdb3f85.zip
--- a/.yarn/cache/express-rate-limit-npm-5.5.1-3af8247282-445fc5b6bc.zip
+++ b/.yarn/cache/express-rate-limit-npm-5.5.1-3af8247282-445fc5b6bc.zip
--- a/.yarn/cache/forwarded-npm-0.2.0-6473dabe35-1e84548d8f.zip
+++ b/.yarn/cache/forwarded-npm-0.2.0-6473dabe35-1e84548d8f.zip
--- a/.yarn/cache/ipaddr.js-npm-1.9.1-19ae7878b4-de15bc7e63.zip
+++ b/.yarn/cache/ipaddr.js-npm-1.9.1-19ae7878b4-de15bc7e63.zip
--- a/.yarn/cache/ms-npm-2.1.3-81ff3cfac1-6e721e648a.zip
+++ b/.yarn/cache/ms-npm-2.1.3-81ff3cfac1-6e721e648a.zip
--- a/.yarn/cache/proxy-addr-npm-2.0.7-dae6552872-ad78682246.zip
+++ b/.yarn/cache/proxy-addr-npm-2.0.7-dae6552872-ad78682246.zip
--- a/.yarn/cache/safe-buffer-npm-5.2.1-3481c8aa9b-0bb57f0d8f.zip
+++ b/.yarn/cache/safe-buffer-npm-5.2.1-3481c8aa9b-0bb57f0d8f.zip
--- a/.yarn/cache/send-npm-0.17.2-73a3dbeba6-b47bfc0b79.zip
+++ b/.yarn/cache/send-npm-0.17.2-73a3dbeba6-b47bfc0b79.zip
--- a/.yarn/cache/serve-static-npm-1.14.2-3ce50bb5ff-5a38fdf841.zip
+++ b/.yarn/cache/serve-static-npm-1.14.2-3ce50bb5ff-5a38fdf841.zip
--- a/conf/default.yaml
+++ b/conf/default.yaml
@ -21,6 +21,9 @@ web:
  # darkMode: true
  # logo: http://somedomain/somelogo.png
  # favicon: http://somedomain/favicon.ico | /path/favicon.ico
+  # rateLimit:
+  #   windowMs: 1000
+  #   max: 10000

 # translate your registry, api i18n not available yet
 # i18n:
@ -75,7 +78,6 @@ middlewares:

 # log settings
 logs: { type: stdout, format: pretty, level: http }
-
 #experiments:
 #  # support for npm token command
 #  token: false
--- a/conf/docker.yaml
+++ b/conf/docker.yaml
@ -26,6 +26,9 @@ web:
  # darkMode: true
  # logo: http://somedomain/somelogo.png
  # favicon: http://somedomain/favicon.ico | /path/favicon.ico
+  # rateLimit:
+  #   windowMs: 1000
+  #   max: 10000

 # translate your registry, api i18n not available yet
 # i18n:
@ -80,7 +83,6 @@ middlewares:

 # log settings
 logs: { type: stdout, format: pretty, level: http }
-
 #experiments:
 #  # support for npm token command
 #  token: false
--- a/package.json
+++ b/package.json
@ -34,8 +34,9 @@
    "debug": "^4.3.2",
    "envinfo": "7.8.1",
    "eslint-import-resolver-node": "0.3.4",
-    "express": "4.17.1",
-    "fast-safe-stringify": "^2.0.8",
+    "express": "4.17.2",
+    "express-rate-limit": "5.5.1",
+    "fast-safe-stringify": "2.0.8",
    "handlebars": "4.7.7",
    "http-errors": "1.8.1",
    "js-yaml": "4.1.0",
@ -88,7 +89,9 @@
    "@commitlint/config-conventional": "12.1.4",
    "@octokit/rest": "18.6.0",
    "@types/async": "3.2.9",
-    "@types/express": "4.17.6",
+    "@types/express": "4.17.11",
+    "@types/express-rate-limit": "5.1.3",
+    "@types/express-serve-static-core": "4.17.19",
    "@types/http-errors": "1.8.1",
    "@types/jest": "26.0.14",
    "@types/lodash": "4.14.167",
@ -189,6 +192,9 @@
    "*.{js,jsx,ts,tsx,json,yml,yaml,md}": "prettier --write",
    "*.{js,ts,tsx}": "eslint --fix  -c ./eslintrc.js"
  },
+  "resolutions": {
+    "@types/serve-static": "1.13.9"
+  },
  "collective": {
    "type": "opencollective",
    "url": "https://opencollective.com/verdaccio",
--- a/src/api/web/endpoint/user.ts
+++ b/src/api/web/endpoint/user.ts
@ -1,11 +1,10 @@
 /**
 * @prettier
- * @flow
 */
-
 import _ from 'lodash';
+import RateLimit from 'express-rate-limit';

-import { Router, Response, Request } from 'express';
+import express, { Router, Response, Request } from 'express';
 import { Config, RemoteUser, JWTSignOptions } from '@verdaccio/types';
 import { API_ERROR, APP_ERROR, HEADERS, HTTP_STATUS } from '../../../lib/constants';
 import { IAuth, $NextFunctionVer } from '../../../../types';
@ -13,6 +12,18 @@ import { ErrorCode } from '../../../lib/utils';
 import { getSecurity, validatePassword } from '../../../lib/auth-utils';

 function addUserAuthApi(route: Router, auth: IAuth, config: Config): void {
+  /* eslint new-cap:off */
+  const userRouter = express.Router();
+
+  // we limit max 100 request per 15 minutes on user endpoints
+  // @ts-ignore
+  const limiter = new RateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 100,
+    // @ts-ignore
+    ...config?.web?.rateLimit,
+  });
+  route.use(limiter);
  route.post('/login', function (req: Request, res: Response, next: $NextFunctionVer): void {
    const { username, password } = req.body;

@ -58,6 +69,8 @@ function addUserAuthApi(route: Router, auth: IAuth, config: Config): void {
      return next(ErrorCode.getCode(HTTP_STATUS.BAD_REQUEST, APP_ERROR.PASSWORD_VALIDATION));
    }
  });
+
+  route.use(userRouter);
 }

 export default addUserAuthApi;
--- a/src/api/web/index.ts
+++ b/src/api/web/index.ts
@ -4,6 +4,7 @@ import _ from 'lodash';

 import express from 'express';
 import buildDebug from 'debug';
+import RateLimit from 'express-rate-limit';

 import Search from '../../lib/search';
 import { HTTP_STATUS } from '../../lib/constants';
@ -60,6 +61,16 @@ export default function (config, auth, storage) {

  /* eslint new-cap:off */
  const router = express.Router();
+  // limit 5k request on web peer 2 minutes is enough for a medium size company
+  // @ts-ignore
+  const limiter = new RateLimit({
+    windowMs: 2 * 60 * 1000, // 2  minutes
+    max: 5000, // limit each IP to 1000 requests per windowMs
+    ...config?.web?.rateLimit,
+  });
+  // run in production mode by default, just in case
+  // it shouldn't make any difference anyway
+  router.use(limiter);
  router.use(auth.webUIJWTmiddleware());
  router.use(setSecurityWebHeaders);

--- a/test/unit/modules/web/api.web.spec.ts
+++ b/test/unit/modules/web/api.web.spec.ts
@ -211,12 +211,10 @@ describe('endpoint web unit test', () => {
        test('should fails on log unvalid user', (done) => {
          request(app)
            .post('/-/verdaccio/login')
-            .send(
-              JSON.stringify({
-                username: 'fake',
-                password: 'fake',
-              })
-            )
+            .send({
+              username: 'fake',
+              password: 'fake',
+            })
            // FIXME: there should be 401
            .expect(HTTP_STATUS.OK)
            .end(function (err, res) {
--- a/test/unit/partials/config/yaml/api.spec.yaml
+++ b/test/unit/partials/config/yaml/api.spec.yaml
@ -1,4 +1,9 @@
 storage: ./storage_default_storage
+web:
+  title: Verdaccio
+  rateLimit:
+    windowMs: 5000000
+    max: 100000
 uplinks:
  npmjs:
    url: http://localhost:4873/
@ -80,11 +85,11 @@ packages:
    access: $all
    publish: $all
    proxy: npmjs
-  # forbidden for search endpoint test package  
+  # forbidden for search endpoint test package
  'react*':
    access: non_existing_user
    publish: $all
-    proxy: npmjs  
+    proxy: npmjs
  '*':
    access: $all
    publish: $all
--- a/test/unit/partials/config/yaml/api.web.spec.yaml
+++ b/test/unit/partials/config/yaml/api.web.spec.yaml
@ -1,4 +1,9 @@
 storage: ./storage_default_storage
+web:
+  title: Verdaccio
+  rateLimit:
+    windowMs: 5000000
+    max: 100000
 uplinks:
  npmjs:
    url: http://localhost:4873/
--- a/test/unit/partials/config/yaml/default.yaml
+++ b/test/unit/partials/config/yaml/default.yaml
@ -1,5 +1,9 @@
 storage: ./storage_default_storage
-
+web:
+  title: Verdaccio
+  rateLimit:
+    windowMs: 5000000
+    max: 100000
 uplinks:
  npmjs:
    url: http://localhost:4873/
--- a/test/unit/partials/config/yaml/profile/profile.yaml
+++ b/test/unit/partials/config/yaml/profile/profile.yaml
@ -3,6 +3,9 @@ plugins: ./plugins

 web:
  title: Verdaccio
+  rateLimit:
+    windowMs: 5000000
+    max: 100000

 auth:
  htpasswd:
--- a/yarn.lock
+++ b/yarn.lock
@ -2892,26 +2892,58 @@ __metadata:
  languageName: node
  linkType: hard

-"@types/express-serve-static-core@npm:*":
-  version: 4.17.13
-  resolution: "@types/express-serve-static-core@npm:4.17.13"
+"@types/express-rate-limit@npm:5.1.3":
+  version: 5.1.3
+  resolution: "@types/express-rate-limit@npm:5.1.3"
+  dependencies:
+    "@types/express": "*"
+  checksum: 4b9d7d7bbb226fa4fd2bb5b586dd834effebe64ee89c82b92c509977ba2fc52f0d3155c0b8009ebd7830fc916752e13344107a82e832ac0d7a65cff17630c615
+  languageName: node
+  linkType: hard
+
+"@types/express-serve-static-core@npm:4.17.19":
+  version: 4.17.19
+  resolution: "@types/express-serve-static-core@npm:4.17.19"
  dependencies:
    "@types/node": "*"
    "@types/qs": "*"
    "@types/range-parser": "*"
-  checksum: 6db6f2e0ebadcb3492b97fc76e66bc49c44385c8c1a6c7df75f7bce5fdade53061393cc3271b9183137d9877df03dd45dc42f4e0ec2d89f8ad5479341da302f0
+  checksum: b6c8c357c5d093303c681616b7a80d6a044b47c4161a3459c65e451137832b29a485a8f8708414205f427dade6b4ff5ef799d51715d12f92da3468cf41a2cf06
  languageName: node
  linkType: hard

-"@types/express@npm:4.17.6":
-  version: 4.17.6
-  resolution: "@types/express@npm:4.17.6"
+"@types/express-serve-static-core@npm:^4.17.18":
+  version: 4.17.26
+  resolution: "@types/express-serve-static-core@npm:4.17.26"
+  dependencies:
+    "@types/node": "*"
+    "@types/qs": "*"
+    "@types/range-parser": "*"
+  checksum: 0026cc244f59f45f14f7f274d2b6c432be2fa34661de68c6286a1c6f56dadc3725bf86e7dcdca9b8d827ba25f04c0a5263138264d556c6f2f617633b30776d16
+  languageName: node
+  linkType: hard
+
+"@types/express@npm:*":
+  version: 4.17.13
+  resolution: "@types/express@npm:4.17.13"
  dependencies:
    "@types/body-parser": "*"
-    "@types/express-serve-static-core": "*"
+    "@types/express-serve-static-core": ^4.17.18
    "@types/qs": "*"
    "@types/serve-static": "*"
-  checksum: 45e31c66a048bfb8ddfb28f9c7f448f89eb8667132dc13f0e35397d5e4df05796f920a114bb774ba910bb3795a18d17a3ea8ae6aaf4d0d2e6b6c5622866f21d0
+  checksum: 9f17da703df21e3f1cee2fe1864b9fcac2ab07c37382b972a194a3a484b41c1fbe4022b6cfe546f0171fd2d93b324dd3839512494f4cba639c2afa021e6dbb12
+  languageName: node
+  linkType: hard
+
+"@types/express@npm:4.17.11":
+  version: 4.17.11
+  resolution: "@types/express@npm:4.17.11"
+  dependencies:
+    "@types/body-parser": "*"
+    "@types/express-serve-static-core": ^4.17.18
+    "@types/qs": "*"
+    "@types/serve-static": "*"
+  checksum: 2818120a0fd8b7982215864929cdc6cd14942dd44849f93054fe2a90b4233dff67aadc34c73b5937922a02c688b0263d00a4807aa2e59307ac859a1458d73669
  languageName: node
  linkType: hard

@ -2997,13 +3029,6 @@ __metadata:
  languageName: node
  linkType: hard

-"@types/mime@npm:*":
-  version: 2.0.1
-  resolution: "@types/mime@npm:2.0.1"
-  checksum: 61a328979fb59648d4bcd557050f6270f3afd50602829e9fd182d70129cbd2ff057f36dd6db4be9b01e0f1c6463784efc854ed4bbe99075017483680865d1977
-  languageName: node
-  linkType: hard
-
 "@types/mime@npm:2.0.3":
  version: 2.0.3
  resolution: "@types/mime@npm:2.0.3"
@ -3011,6 +3036,13 @@ __metadata:
  languageName: node
  linkType: hard

+"@types/mime@npm:^1":
+  version: 1.3.2
+  resolution: "@types/mime@npm:1.3.2"
+  checksum: c354bc135628c2f4ab64801ca3867c3acbd4050611579c4c9f5bdfecfb70db71bb8540bf8611b4319f5ef44139c5f7c5af81254369add5ed59e7e02ce929b96f
+  languageName: node
+  linkType: hard
+
 "@types/minimatch@npm:3.0.3":
  version: 3.0.3
  resolution: "@types/minimatch@npm:3.0.3"
@ -3123,13 +3155,13 @@ __metadata:
  languageName: node
  linkType: hard

-"@types/serve-static@npm:*":
-  version: 1.13.5
-  resolution: "@types/serve-static@npm:1.13.5"
+"@types/serve-static@npm:1.13.9":
+  version: 1.13.9
+  resolution: "@types/serve-static@npm:1.13.9"
  dependencies:
-    "@types/express-serve-static-core": "*"
-    "@types/mime": "*"
-  checksum: 1d4e222e240ff6ed0aa41cd3997fefb53b4f2fbe8f16d20055174662dda1361c7409dfb40ad8e2f355316f80edcd701e0f3ff6298abe35e0b88d9b62903acd18
+    "@types/mime": ^1
+    "@types/node": "*"
+  checksum: f261127514057b5c038d76259128d7b765dd92bfeaf769d05b8ddf5f254d066ce6142a935e2fc707bb3009d6544a979591852f0d135d0ed4d0c56db08738df6b
  languageName: node
  linkType: hard

@ -5092,6 +5124,15 @@ __metadata:
  languageName: node
  linkType: hard

+"content-disposition@npm:0.5.4":
+  version: 0.5.4
+  resolution: "content-disposition@npm:0.5.4"
+  dependencies:
+    safe-buffer: 5.2.1
+  checksum: 44169dbbfd5f1d48cc0cf27b1196b0da485c7d2d4b22c3c20a75babbbdd2bc6028b7afa66a9f2e2a4b14cab8506823cca227cc63e7297e17b9e9b1c00593f6db
+  languageName: node
+  linkType: hard
+
 "content-type@npm:~1.0.4":
  version: 1.0.4
  resolution: "content-type@npm:1.0.4"
@ -5365,6 +5406,13 @@ __metadata:
  languageName: node
  linkType: hard

+"cookie@npm:0.4.1":
+  version: 0.4.1
+  resolution: "cookie@npm:0.4.1"
+  checksum: b8e0928e3e7aba013087974b33a6eec730b0a68b7ec00fc3c089a56ba2883bcf671252fc2ed64775aa1ca64796b6e1f6fdddba25a66808aef77614d235fd3e06
+  languageName: node
+  linkType: hard
+
 "cookiejar@npm:^2.1.2":
  version: 2.1.2
  resolution: "cookiejar@npm:2.1.2"
@ -6747,6 +6795,13 @@ __metadata:
  languageName: node
  linkType: hard

+"express-rate-limit@npm:5.5.1":
+  version: 5.5.1
+  resolution: "express-rate-limit@npm:5.5.1"
+  checksum: 445fc5b6bcd143fcaa3c10ab90ae9f82bb0e691d025a11d16332c32e12f03273fed35a344ee340a92060fc21069c221075c0974cefa3313f89025e77deb68d7d
+  languageName: node
+  linkType: hard
+
 "express@npm:4.17.1":
  version: 4.17.1
  resolution: "express@npm:4.17.1"
@ -6785,6 +6840,44 @@ __metadata:
  languageName: node
  linkType: hard

+"express@npm:4.17.2":
+  version: 4.17.2
+  resolution: "express@npm:4.17.2"
+  dependencies:
+    accepts: ~1.3.7
+    array-flatten: 1.1.1
+    body-parser: 1.19.1
+    content-disposition: 0.5.4
+    content-type: ~1.0.4
+    cookie: 0.4.1
+    cookie-signature: 1.0.6
+    debug: 2.6.9
+    depd: ~1.1.2
+    encodeurl: ~1.0.2
+    escape-html: ~1.0.3
+    etag: ~1.8.1
+    finalhandler: ~1.1.2
+    fresh: 0.5.2
+    merge-descriptors: 1.0.1
+    methods: ~1.1.2
+    on-finished: ~2.3.0
+    parseurl: ~1.3.3
+    path-to-regexp: 0.1.7
+    proxy-addr: ~2.0.7
+    qs: 6.9.6
+    range-parser: ~1.2.1
+    safe-buffer: 5.2.1
+    send: 0.17.2
+    serve-static: 1.14.2
+    setprototypeof: 1.2.0
+    statuses: ~1.5.0
+    type-is: ~1.6.18
+    utils-merge: 1.0.1
+    vary: ~1.1.2
+  checksum: dc1fdb3f852bca4f0b1274b96d54dfe6fcffb6cba45015f6d324edfb7862cf7c381b363a1acf53dd3a2686f797f44fe1e2b2a806bb5c8898e50a20481c010619
+  languageName: node
+  linkType: hard
+
 "ext@npm:^1.1.2":
  version: 1.4.0
  resolution: "ext@npm:1.4.0"
@ -6934,6 +7027,13 @@ __metadata:
  languageName: node
  linkType: hard

+"fast-safe-stringify@npm:2.0.8, fast-safe-stringify@npm:^2.0.8":
+  version: 2.0.8
+  resolution: "fast-safe-stringify@npm:2.0.8"
+  checksum: 2198ef6c4917ac6ad7a3cff8b80abc2762c89a0c700548459288fce45598a2488c0ae393cd456b4212a8259fed9d1630303106efe4ae3b1c35dab2fb66526cdd
+  languageName: node
+  linkType: hard
+
 "fast-safe-stringify@npm:^2.0.7":
  version: 2.0.7
  resolution: "fast-safe-stringify@npm:2.0.7"
@ -6941,13 +7041,6 @@ __metadata:
  languageName: node
  linkType: hard

-"fast-safe-stringify@npm:^2.0.8":
-  version: 2.0.8
-  resolution: "fast-safe-stringify@npm:2.0.8"
-  checksum: 2198ef6c4917ac6ad7a3cff8b80abc2762c89a0c700548459288fce45598a2488c0ae393cd456b4212a8259fed9d1630303106efe4ae3b1c35dab2fb66526cdd
-  languageName: node
-  linkType: hard
-
 "fastify-warning@npm:^0.2.0":
  version: 0.2.0
  resolution: "fastify-warning@npm:0.2.0"
@ -7184,6 +7277,13 @@ __metadata:
  languageName: node
  linkType: hard

+"forwarded@npm:0.2.0":
+  version: 0.2.0
+  resolution: "forwarded@npm:0.2.0"
+  checksum: 1e84548d8ffb072d7edd4c5375ce71e2631c28efcd1084c4578f1a71dd6c4b0d58a6ddcdc923514766030cf38068258971a919e91ffa472460ec0f6dac7209ea
+  languageName: node
+  linkType: hard
+
 "forwarded@npm:~0.1.2":
  version: 0.1.2
  resolution: "forwarded@npm:0.1.2"
@ -8129,6 +8229,13 @@ fsevents@~2.1.2:
  languageName: node
  linkType: hard

+"ipaddr.js@npm:1.9.1":
+  version: 1.9.1
+  resolution: "ipaddr.js@npm:1.9.1"
+  checksum: de15bc7e63973d960abc43c9fbbf19589c726774f59d157d1b29382a1e86ae87c68cbd8b5c78a1712a87fc4fcd91e10762c7671950c66a1a19040ff4fd2f9c9b
+  languageName: node
+  linkType: hard
+
 "is-accessor-descriptor@npm:^0.1.6":
  version: 0.1.6
  resolution: "is-accessor-descriptor@npm:0.1.6"
@ -10357,6 +10464,13 @@ fsevents@~2.1.2:
  languageName: node
  linkType: hard

+"ms@npm:2.1.3":
+  version: 2.1.3
+  resolution: "ms@npm:2.1.3"
+  checksum: 6e721e648a544154d5de4c114b32f573d8027ca8ec505cf6c1105e505986d6ac46934a1256735aa0eece8eb2f5b2a1230503b2dddd3b100f9f016fd8a4f15f33
+  languageName: node
+  linkType: hard
+
 "mute-stream@npm:0.0.8":
  version: 0.0.8
  resolution: "mute-stream@npm:0.0.8"
@ -11502,6 +11616,16 @@ fsevents@~2.1.2:
  languageName: node
  linkType: hard

+"proxy-addr@npm:~2.0.7":
+  version: 2.0.7
+  resolution: "proxy-addr@npm:2.0.7"
+  dependencies:
+    forwarded: 0.2.0
+    ipaddr.js: 1.9.1
+  checksum: ad78682246dc20ed6ca4080539349828bc2708cf0b69c55d6a3c41532780a8d05f563dcbac6ec4b74dce367421bff6fc4bc6b700b14319ecf57c93bd62727fc6
+  languageName: node
+  linkType: hard
+
 "proxy-from-env@npm:^1.0.0":
  version: 1.0.0
  resolution: "proxy-from-env@npm:1.0.0"
@ -12287,6 +12411,13 @@ fsevents@~2.1.2:
  languageName: node
  linkType: hard

+"safe-buffer@npm:5.2.1":
+  version: 5.2.1
+  resolution: "safe-buffer@npm:5.2.1"
+  checksum: 0bb57f0d8f9d1fa4fe35ad8a2db1f83a027d48f2822d59ede88fd5cd4ddad83c0b497213feb7a70fbf90597a70c5217f735b0eb1850df40ce9b4ae81dd22b3f9
+  languageName: node
+  linkType: hard
+
 "safe-buffer@npm:^5.0.1, safe-buffer@npm:^5.1.2":
  version: 5.2.0
  resolution: "safe-buffer@npm:5.2.0"
@ -12462,6 +12593,27 @@ fsevents@~2.1.2:
  languageName: node
  linkType: hard

+"send@npm:0.17.2":
+  version: 0.17.2
+  resolution: "send@npm:0.17.2"
+  dependencies:
+    debug: 2.6.9
+    depd: ~1.1.2
+    destroy: ~1.0.4
+    encodeurl: ~1.0.2
+    escape-html: ~1.0.3
+    etag: ~1.8.1
+    fresh: 0.5.2
+    http-errors: 1.8.1
+    mime: 1.6.0
+    ms: 2.1.3
+    on-finished: ~2.3.0
+    range-parser: ~1.2.1
+    statuses: ~1.5.0
+  checksum: b47bfc0b79cff5930616222cb0794967ec5dd71ea97a6c43870de15155e3e7d4f4147790bcdd0d98444da94bafbccf701b14cdba8f22daf4484526cf028d9451
+  languageName: node
+  linkType: hard
+
 "serve-static@npm:1.14.1":
  version: 1.14.1
  resolution: "serve-static@npm:1.14.1"
@ -12474,6 +12626,18 @@ fsevents@~2.1.2:
  languageName: node
  linkType: hard

+"serve-static@npm:1.14.2":
+  version: 1.14.2
+  resolution: "serve-static@npm:1.14.2"
+  dependencies:
+    encodeurl: ~1.0.2
+    escape-html: ~1.0.3
+    parseurl: ~1.3.3
+    send: 0.17.2
+  checksum: 5a38fdf841ceb30ad63ef26dace35805c0813fe9864a76f66cf5469018638c64aa182558d26f6210f4ba27d6c99d3307bf9427e6b842d81e0705bc57efb39a0b
+  languageName: node
+  linkType: hard
+
 "set-blocking@npm:^2.0.0, set-blocking@npm:~2.0.0":
  version: 2.0.0
  resolution: "set-blocking@npm:2.0.0"
@ -14039,7 +14203,9 @@ typescript@4.1.3:
    "@commitlint/config-conventional": 12.1.4
    "@octokit/rest": 18.6.0
    "@types/async": 3.2.9
-    "@types/express": 4.17.6
+    "@types/express": 4.17.11
+    "@types/express-rate-limit": 5.1.3
+    "@types/express-serve-static-core": 4.17.19
    "@types/http-errors": 1.8.1
    "@types/jest": 26.0.14
    "@types/lodash": 4.14.167
@ -14084,8 +14250,9 @@ typescript@4.1.3:
    eslint-plugin-jest: 24.3.6
    eslint-plugin-simple-import-sort: 7.0.0
    eslint-plugin-verdaccio: 9.6.1
-    express: 4.17.1
-    fast-safe-stringify: ^2.0.8
+    express: 4.17.2
+    express-rate-limit: 5.5.1
+    fast-safe-stringify: 2.0.8
    fs-extra: 10.0.0
    handlebars: 4.7.7
    http-errors: 1.8.1