Banned user can continue making requests after the rate limit duration expires

[AntonyZ89]

Currently, the isRateLimited function enforces a request limit based on a specific time window. If a user exceeds this limit, they should be banned for an additional period before being allowed to make new requests.

Problem:

The current implementation does not correctly check if a user is banned. The isRateLimited function only verifies whether the user has exceeded the request limit within the rate limit period (options.limit.duration).

This leads to unexpected behavior:

When a user exceeds the request limit, they are blocked only until the rate limit duration expires.
After this time, the user can continue making requests, completely ignoring the additional ban period.

Cause of the issue:

The isRateLimited function does not track a banned state. Currently, it only checks if the request count (req.count) exceeds the limit and compares the elapsed time since the last request to options.limit.duration, without considering options.limit.ban.

Attempted Fix:

I tried to solve this issue but couldn't, as it requires adding a new functionality to properly track and enforce the ban period. The current implementation lacks a way to persist and check if a user is banned beyond the rate limit duration.

[rrd108]

Thanks for reporting. I will back to my normal life on 12 March. I will look into this after that.