Uses in-memory rate limiting for both session & IP. Simple easy setup, and super basic protection from abuse. Now supports Upstash configuration for distributed rate limiting.
npm install @daveyplate/next-rate-limitDefault limits are 30 requests per session within 10 seconds, and 120 requests per IP within 10 seconds.
export function rateLimit({
request,
response,
sessionLimit = 30,
ipLimit = 120,
sessionWindow = 10,
ipWindow = 10,
upstash = {
enabled: false,
url: process.env.UPSTASH_REDIS_REST_URL,
token: '',
analytics: false
}
})middleware.js
import { NextResponse, NextRequest } from 'next/server'
import { rateLimit } from '@daveyplate/next-rate-limit'
export async function middleware(request: NextRequest) {
const response = NextResponse.next()
return await rateLimit({ request, response })
}
// Apply middleware to all API routes
export const config = {
matcher: '/api/:path*'
}To enable Upstash, you can configure it using environment variables or by passing the configuration directly.
Set the following environment variables in your .env file:
UPSTASH_REDIS_REST_URL=<your_upstash_redis_rest_url>
UPSTASH_REDIS_REST_TOKEN=<your_upstash_redis_rest_token>
You can also pass the Upstash configuration directly when calling rateLimit:
const rateLimitResponse = await rateLimit({
request,
response,
upstash: {
enabled: true,
url: '<your_upstash_redis_rest_url>',
token: '<your_upstash_redis_rest_token>',
analytics: true
}
})