Asish Kumar
def82d4d5e
The built-in rate limiter derived its key directly from `req.ip`, which express-rate-limit 8.x rejects with an ERR_ERL_KEY_GEN_IPV6 validation error. A raw IPv6 address used as a rate limiting key would let a client bypass the limit by rotating through addresses in its allotted block, so the library now requires its `ipKeyGenerator` helper to normalize the address. Wrap the resolved client address in that helper so the limiter starts cleanly and groups IPv6 clients by their address block. Signed-off-by: Asish Kumar <officialasishkumar@gmail.com>
401 B
401 B
@backstage/backend-defaults
| @backstage/backend-defaults |
|---|
| patch |
Fixed the built-in rate limiter throwing a validation error and refusing to start when backend.rateLimit is enabled. Requests are now keyed using the address normalization helper from express-rate-limit, which is required by newer versions of that library and ensures IPv6 clients are grouped by their address block rather than by individual address.