Api Rate Abuse in Feathersjs with Cockroachdb

Rate abuse in a FeathersJS service backed by CockroachDB can manifest as excessive queries, writes, or connections that overload the database and degrade availability. FeathersJS is a framework that can expose CRUD-style endpoints with minimal configuration; without explicit rate controls, an unauthenticated or weakly authenticated endpoint can be called repeatedly, leading to high request volume directed at the CockroachDB cluster. CockroachDB, while resilient and distributed, still experiences resource contention under sustained high load, including increased latency, connection saturation, and potential hotspots on specific ranges.

The exposure arises from several factors. First, FeathersJS hooks and services may perform multiple database operations per request (e.g., lookups, joins via relations, or transactions), multiplying the load from a single API call. Second, if the service relies on unauthenticated or token-light access for public endpoints, rate limiting may be absent or misconfigured, allowing attackers to probe endpoints such as /users or /posts at scale. Third, CockroachDB’s SQL layer must parse, plan, and execute each query; without request throttling, a burst of queries can consume significant CPU and I/O, impacting latency for legitimate traffic. Common attack patterns include rapid creation of records to exhaust row quotas, repeated queries that trigger heavy index scans, and connection flooding that stresses the database’s connection pool.

Real-world examples align with known OWASP API Top 10 risks such as API4:2023 — Improper Resource Consumption, where rate abuse leads to denial-of-service conditions. In a FeathersJS service using the feathers-sequelize or feathers-knex adapter with CockroachDB, an unchecked find call without pagination or query constraints can return large result sets, amplifying data transfer and processing overhead. Similarly, an unprotected create endpoint can be spammed to inject millions of rows, causing storage growth and transaction contention. Attackers may also chain requests to exploit timing differences, inferring existence of resources through response times or error patterns.

Because FeathersJS can auto-generate routes based on service definitions, developers might assume default security posture, but rate limiting must be explicitly added. MiddleBrick’s scans detect missing rate limiting by observing inconsistent behavior under controlled request bursts and analyzing whether responses include rate limit headers or HTTP 429 status. The scanner checks whether the service applies throttling at the framework level or via infrastructure controls, and whether CockroachDB interactions include safeguards such as request timeouts and sensible query limits.

To mitigate, combine FeathersJS-side controls with CockroachDB-aware strategies. Use framework-level rate limiters that track identifiers such as IP or API key over sliding windows, and enforce query caps like maximum page size. Ensure database drivers use prepared statements and connection pooling with sensible limits, and set statement timeouts to prevent long-running queries from monopolizing resources. Monitoring query latency and error rates per endpoint helps identify abuse patterns early, allowing targeted tuning of limits without disrupting legitimate traffic.

Remediation focuses on adding explicit rate limiting and query constraints within FeathersJS services while tailoring database interactions for CockroachDB’s strengths. The following examples assume a FeathersJS service using feathers-knex with a CockroachDB connection string. The goal is to reduce per-request load on the database and prevent abusive call patterns.

Rate Limiter Setup

Use a token bucket or sliding window store to limit requests per key. Below is a minimal in-memory store for development; in production, use Redis or an external store to share limits across nodes.

const rateLimit = require('feathers-rate-limit');
const MemoryStore = require('feathers-rate-limit-memory');

const apiRateLimiter = rateLimit({
  store: new MemoryStore({ interval: 60 * 1000 }), // 1 minute window
  path: 'identifier', // e.g., 'ip' or 'token'
  limit: 60, // max 60 requests per window
  handler: { message: 'Too many requests, please try again later.' }
});

app.configure(apiRateLimiter);

Apply the limiter selectively to high-risk services:

app.use('/public-posts', postsService, { before: [ apiRateLimiter ] });

Service Configuration with Query Constraints

Configure the FeathersJS service to enforce pagination and limit returned fields, reducing query and network load on CockroachDB.

const { Service } = require('feathers-knex');
const knex = require('./knex-db'); // configured CockroachDB knex instance

class PostService extends Service {
  async find(params) {
    // Enforce pagination and cap page size to protect the DB
    const pagination = params.pagination || {};
    pagination.page = Math.max(1, parseInt(pagination.page) || 1);
    pagination.perPage = Math.min(50, parseInt(pagination.perPage) || 10); // cap per page

    params.query = params.query || {};
    params.query.$limit = pagination.perPage;
    params.query.$skip = (pagination.page - 1) * pagination.perPage;

    // Limit selected columns to avoid heavy scans
    if (!params.query.$select) {
      params.query.$select = ['id', 'title', 'createdAt'];
    }

    return super.find(params);
  }
}

CockroachDB Knex Configuration

Set statement timeouts and use prepared statements to avoid long-running or runaway queries.

const knex = require('knex')({
  client: 'pgcouchbase', // note: use 'pg' with CockroachDB; 'pgcouchbase' is illustrative
  connection: {
    host: 'cockroachdb-host',
    port: 26257,
    user: 'app_user',
    password: 'secure_password',
    database: 'app_db',
    ssl: {
      rejectUnauthorized: false // adjust per your TLS setup
    }
  },
  pool: {
    min: 2,
    max: 10, // limit connections to avoid CockroachDB connection saturation
    afterCreate: (conn, done) => {
      // Set session-level statement timeout per connection
      conn.query('SET statement_timeout = 5000', (err) => done(err, conn));
    }
  },
  acquireConnectionTimeout: 30000,
  removeEventListeners: true
});

module.exports = knex;

With these settings, each query will cancel if it exceeds 5 seconds, preventing hung requests from consuming CockroachDB resources. Combine this with FeathersJS hooks to validate and sanitize query parameters, avoiding unbounded queries that could trigger full table scans.