Merge pull request #1007 from AikidoSec/add-retry-after-header-hono

Set Retry-After header in middleware

Author: hansott

docs/generic-middleware.md

@@ -32,7 +32,8 @@ function onRequest(...) {
           message += ` (Your IP: ${result.ip})`;
         }
 
-        // Block the request and send a http 429 status code
+        // Return a 429 response with a Retry-After header, e.g.:
+        // res.setHeader("Retry-After", result.retryAfterSeconds.toString());
         return ...;
       }
 

library/middleware/express.ts

@@ -19,7 +19,11 @@ export function addExpressMiddleware(app: Express | Router) {
           message += ` (Your IP: ${escapeHTML(result.ip)})`;
         }
 
-        res.status(429).type("text").send(message);
+        res
+          .status(429)
+          .type("text")
+          .header("Retry-After", result.retryAfterSeconds.toString())
+          .send(message);
         return;
       }
 

library/middleware/fastify.ts

@@ -5,6 +5,7 @@ import type { FastifyInstance } from "fastify";
 
 export type FastifyReply = {
   status(code: number): FastifyReply;
+  header(key: string, value: string): FastifyReply;
   send(payload: string): FastifyReply;
 };
 
@@ -41,7 +42,10 @@ export const fastifyHook: FastifyHookHandler = (_, reply, done) => {
         message += ` (Your IP: ${escapeHTML(result.ip)})`;
       }
 
-      return reply.status(429).send(message);
+      return reply
+        .status(429)
+        .header("Retry-After", result.retryAfterSeconds.toString())
+        .send(message);
     }
 
     if (result.type === "blocked") {

library/middleware/hapi.ts

@@ -18,7 +18,11 @@ export function addHapiMiddleware(app: Server) {
           message += ` (Your IP: ${escapeHTML(result.ip)})`;
         }
 
-        return h.response(message).code(429).takeover();
+        return h
+          .response(message)
+          .code(429)
+          .header("Retry-After", result.retryAfterSeconds.toString())
+          .takeover();
       }
 
       if (result.type === "blocked") {

library/middleware/hono.ts

@@ -23,7 +23,9 @@ export function addHonoMiddleware<
           message += ` (Your IP: ${escapeHTML(result.ip)})`;
         }
 
-        return c.text(message, 429);
+        return c.text(message, 429, {
+          "Retry-After": result.retryAfterSeconds.toString(),
+        });
       }
 
       if (result.type === "blocked") {

library/middleware/koa.ts

@@ -22,6 +22,7 @@ export function addKoaMiddleware(app: Application): void {
         ctx.type = "text/plain";
         ctx.body = message;
         ctx.status = 429;
+        ctx.set("Retry-After", result.retryAfterSeconds.toString());
         return;
       }
 

library/middleware/restify.ts

@@ -19,6 +19,7 @@ export function addRestifyMiddleware(server: any) {
 
         res.status(429);
         res.setHeader("Content-Type", "text/plain");
+        res.setHeader("Retry-After", result.retryAfterSeconds.toString());
         res.send(message);
 
         return next(false);

library/middleware/shouldBlockRequest.ts

@@ -4,12 +4,20 @@ import { getInstance } from "../agent/AgentSingleton";
 import { getContext, updateContext } from "../agent/Context";
 import { shouldRateLimitRequest } from "../ratelimiting/shouldRateLimitRequest";
 
-type Result = {
-  block: boolean;
-  type?: "ratelimited" | "blocked";
-  trigger?: "ip" | "user" | "group";
-  ip?: string;
-};
+type Result =
+  | { block: false }
+  | {
+      block: true;
+      type: "ratelimited";
+      trigger: "ip" | "user" | "group";
+      ip?: string;
+      retryAfterSeconds: number;
+    }
+  | {
+      block: true;
+      type: "blocked";
+      trigger: "user";
+    };
 
 export function shouldBlockRequest(): Result {
   const context = getContext();
@@ -49,6 +57,7 @@ export function shouldBlockRequest(): Result {
       type: "ratelimited",
       trigger: rateLimitResult.trigger,
       ip: context.remoteAddress,
+      retryAfterSeconds: rateLimitResult.retryAfterSeconds,
     };
   }