Api Rate Abuse in Hapi with Cockroachdb
Api Rate Abuse in Hapi with Cockroachdb — how this specific combination creates or exposes the vulnerability
Rate abuse in a Hapi API backed by Cockroachdb can manifest when rate limiting is enforced only in application logic rather than at the infrastructure or API gateway layer. Without a global, distributed rate-limiting mechanism, an attacker can open many concurrent sessions that each open transactions against Cockroachdb, exhausting connection capacity and driving contention on distributed locks. Because Cockroachdb serializes distributed transactions and uses consensus (Raft), high request volumes on hot rows can increase latency and amplify the impact of abusive patterns, leading to timeouts, retries, and degraded availability.
The risk is compounded when endpoints perform multiple read–write cycles within a transaction, or when application-level counters are used without idempotency keys. For example, a /transfer endpoint that first SELECTs balances then UPDATEs rows can be targeted with rapid, small requests that exploit timing windows and transaction retries. Cockroachdb’s strong consistency helps correctness but does not prevent abuse; without request throttling and proper isolation levels, abusive clients can trigger contention-heavy workloads that affect legitimate users. Because middleBrick tests unauthenticated attack surfaces, it can surface endpoints where rate limiting is absent or inconsistent, highlighting the exposure of business logic to volumetric and burst attacks.
When integrating Hapi with Cockroachdb, ensure rate limiting is implemented as a cross-node, shared-state policy. Use fixed-window or sliding-window counters stored in a fast, centralized store that all Hapi instances consult. Avoid relying on in-memory node-local counters, which an attacker can bypass by rotating source IPs. Instrument transaction retries with exponential backoff and idempotency, and prefer lightweight read-only queries outside Cockroachdb transactions where strong consistency is not required. middleBrick’s checks for Rate Limiting and Input Validation, run in parallel with 12 security analyses, can identify missing or inconsistent enforcement, providing severity-ranked findings and remediation guidance to reduce the attack surface before abuse impacts availability.
Cockroachdb-Specific Remediation in Hapi — concrete code fixes
To remediate rate abuse in Hapi with Cockroachdb, enforce rate limiting before requests reach business logic and make transaction usage explicit and efficient. Below are concrete patterns and code examples that align with secure integration practices.
- Global token bucket with Redis (shared across Hapi instances)
// server.js
const Hapi = require('@hapi/hapi');
const { RateLimiterRedis } = require('rate-limiter-flexible');
const Redis = require('ioredis');
const init = async () => {
const server = Hapi.server({ port: 3000, host: '0.0.0.0' });
const redisClient = new Redis({ host: 'redis.example.com', password: process.env.REDIS_PASSWORD });
const rateLimiter = new RateLimiterRedis({
storeClient: redisClient,
keyPrefix: 'rl',
points: 100, // 100 requests
duration: 60, // per 60 seconds
blockDuration: 60 // block for 60 seconds when exceeded
});
server.ext('onPreHandler', async (request, h) => {
try {
await rateLimiter.consume(request.info.remoteAddress, 1);
return h.continue;
} catch (rej) {
throw Boom.tooManyRequests('Too many requests, please try again later.');
}
});
// Example protected endpoint
server.route({
method: 'POST',
path: '/transfer',
handler: async (request, h) => {
const { from, to, amount } = request.payload;
// Cockroachdb transaction with retry and idempotency
const client = request.server.app.pgClient;
const retries = 3;
for (let i = 0; i < retries; i++) {
const transaction = client.transaction();
try {
await transaction.query('BEGIN');
const res = await transaction.query('SELECT balance FROM accounts WHERE id = $1 FOR UPDATE', [from]);
if (res.rows.length === 0 || res.rows[0].balance < amount) {
await transaction.query('ROLLBACK');
return { error: 'Insufficient funds' };
}
await transaction.query('UPDATE accounts SET balance = balance - $1 WHERE id = $2', [amount, from]);
await transaction.query('UPDATE accounts SET balance = balance + $1 WHERE id = $3', [amount, to]);
await transaction.query('COMMIT');
return { ok: true };
} catch (pgErr) {
await transaction.query('ROLLBACK');
// Retry only on serialization failures (Cockroachdb retry errors)
if (pgErr.code === '40001' || (pgErr.message && pgErr.message.includes('restart'))) {
if (i === retries - 1) throw Boom.badImplementation('Transaction failed after retries');
continue;
}
throw Boom.badImplementation('Database error');
}
}
}
});
await server.register(require('inert'));
await server.start();
};
init().catch(err => console.error(err));
- Optimistic idempotency with request keys
// idempotency.js helper used in route handler
const IdempotencyStore = {
async isDuplicate(key) {
const client = require('./db'); // Cockroachdb pool wrapper
const res = await client.query('SELECT id FROM idempotency WHERE request_key = $1 FOR UPDATE', [key]);
return res.rows.length > 0;
},
async markProcessed(key, response) {
const client = require('./db');
await client.query(
'INSERT INTO idempotency(request_key, response, created_at) VALUES($1, $2, NOW()) ON CONFLICT DO NOTHING',
[key, JSON.stringify(response)]
);
}
};
// Usage inside handler
server.route({
method: 'POST',
path: '/charge',
handler: async (request, h) => {
const key = request.headers['idempotency-key'] || request.info.id;
if (await IdempotencyStore.isDuplicate(key)) {
// Return cached response instead of re-processing
const cached = await client.query('SELECT response::json FROM idempotency WHERE request_key = $1', [key]);
return cached.rows[0].response;
}
// Perform Cockroachdb write
const tx = client.transaction();
await tx.query('BEGIN');
// ... business logic
await tx.query('COMMIT');
const response = { status: 'ok' };
await IdempotencyStore.markProcessed(key, response);
return response;
}
});
- Use Cockroachdb’s built-in transaction retry handling explicitly
// retry-wrapper.js
async function executeWithRetries(client, fn, maxRetries = 5) {
let attempt = 0;
while (true) {
const transaction = client.transaction();
try {
await transaction.query('BEGIN');
const result = await fn(transaction);
await transaction.query('COMMIT');
return result;
} catch (err) {
await transaction.query('ROLLBACK');
if ((err.code === '40001' || err.message.includes('restart')) && attempt < maxRetries) {
attempt++;
const delay = 100 * Math.pow(2, attempt);
await new Promise(r => setTimeout(r, delay));
continue;
}
throw err;
}
}
}
// In handler
server.route({
method: 'PUT',
path: '/account/{id}',
handler: async (request, h) => {
const client = request.server.app.pgClient;
return executeWithRetries(client, async (tx) => {
const { balance } = request.payload;
const res = await tx.query('UPDATE accounts SET balance = $1 WHERE id = $2 RETURNING id', [balance, request.params.id]);
return res.rows[0];
});
}
});
- Connection and statement timeouts to prevent long-running abusive transactions
// With Cockroachdb connection string options
const client = new Pool({
connectionString: 'postgresql://user:pass@cockroachdb:26257/db?sslmode=require',
statement_timeout: 10000, // 10 seconds
idle_in_transaction_session_timeout: 20000
});