fix: disable ip rate limit by default

Author: devthejo

charts/no-package-malware/templates/verdaccio-lenient.deployment.yaml

@@ -55,6 +55,8 @@ spec:
               value: {{ $sentinelHost | quote }}
             - name: REDIS_SENTINEL_PORT
               value: {{ printf "%d" (int $sentinelPort) | quote }}
+            - name: VERDACCIO_RATE_LIMIT_IP_ENABLED
+              value: {{ ternary "true" "false" .Values.registry.ipRateLimitEnabled | quote }}
           ports:
             - name: http
               containerPort: {{ .Values.app.ports.verdaccioLenient }}

charts/no-package-malware/templates/verdaccio-strict.deployment.yaml

@@ -55,6 +55,8 @@ spec:
               value: {{ $sentinelHost | quote }}
             - name: REDIS_SENTINEL_PORT
               value: {{ printf "%d" (int $sentinelPort) | quote }}
+            - name: VERDACCIO_RATE_LIMIT_IP_ENABLED
+              value: {{ ternary "true" "false" .Values.registry.ipRateLimitEnabled | quote }}
           ports:
             - name: http
               containerPort: {{ .Values.app.ports.verdaccioStrict }}

charts/no-package-malware/values.yaml

@@ -183,6 +183,13 @@ components:
     replicaCount: 1
     resources: {}
 
+# Registry-specific configuration.
+registry:
+  # When true, anonymous/IP-based HTTP rate limiting is enabled in Verdaccio
+  # via VERDACCIO_RATE_LIMIT_IP_ENABLED. When false (the default), only
+  # authenticated user-based rate limits are applied by the middleware.
+  ipRateLimitEnabled: false
+
 # High-availability settings for stateless services.
 # When enabled, these recommended replica counts override
 # components.*.replicaCount for api, app, and Verdaccio registries.

secure-registry/plugins/verdaccio-rate-limit-middleware/src/index.ts

@@ -89,6 +89,7 @@ class RateLimitMiddleware implements MiddlewarePlugin<any> {
   private readonly redisUrl: string;
   private readonly windowSeconds: number;
   private readonly maxRequests: number;
+  private readonly ipRateLimitEnabled: boolean;
   private redis: Redis | null = null;
   private redisHealthy = true;
 
@@ -112,11 +113,16 @@ class RateLimitMiddleware implements MiddlewarePlugin<any> {
         ? config.maxRequests
         : 400; // 400 requests per 24h by default
 
+    const ipEnv = process.env.VERDACCIO_RATE_LIMIT_IP_ENABLED;
+    this.ipRateLimitEnabled =
+      ipEnv === '1' || (ipEnv !== undefined && ipEnv.toLowerCase() === 'true');
+
     this.logger.debug(
       {
         redisUrl: this.redisUrl,
         windowSeconds: this.windowSeconds,
-        maxRequests: this.maxRequests
+        maxRequests: this.maxRequests,
+        ipRateLimitEnabled: this.ipRateLimitEnabled
       },
       'rate-limit-middleware initialized'
     );
@@ -164,6 +170,11 @@ class RateLimitMiddleware implements MiddlewarePlugin<any> {
       return `user:${req.remote_user.name}`;
     }
 
+    // IP-based rate limiting can be disabled via VERDACCIO_RATE_LIMIT_IP_ENABLED.
+    if (!this.ipRateLimitEnabled) {
+      return null;
+    }
+
     const fwd = req.headers['x-forwarded-for'];
     if (typeof fwd === 'string' && fwd.length > 0) {
       const first = fwd.split(',')[0].trim();