ERR_ERL_CREATED_IN_REQUEST_HANDLER

[redevill]

Description

Getting this error - in what appears to be an inaccurate circumstance - not sure how to replicate, it is intermittent.
Our intent is to limit 2 of our URL paths that publicly exposed to have limited use frequency.
This follows the Usage outline in the documentation: https://express-rate-limit.mintlify.app/quickstart/usage
Notably the creation (class is created as part of the app.ts startup) is done before assignment to the express middleware.

export class SecurityHandlers {
  constructor(app: express.Application) {
    const publicAPIlimiter = rateLimit({
      windowMs: <someValue>,
      limit: <several allowed>
    });

    const authRateLimit = rateLimit({
      windowMs: <someSmallerValue>,
      limit: <SmallerLimit>
    });

    app.use('/api/public/', publicAPIlimiter);
    app.use('/api/auth/', authRateLimit);
    app.use('/api/auth/aRateLimitedHandler', [handlerx]);
    app.use('/api/public/moreRateLimitedHandlers', [handlery, hx, hq]);
}

Not sure why we sometimes get the error mentioned in the title - ideas?
TIA
Et

Library version

7.2.0

Node version

18.19.0

Typescript version (if you are using it)

5.3.3

Module system

ESM

[nfriedly]

Hum, that's confusing. Can you post the full stack trace it logs with the error?

The way the check works is that it looks for the string "Layer.handle [as handle_request]" in the stack trace. Perhaps that string is appearing for some reason? I'm not sure why it would be intermittent, though..

Also, as a workaround, you can disable that validation check:

    const publicAPIlimiter = rateLimit({
      windowMs: <someValue>,
      limit: <several allowed>,
      validate: {
        creationStack: false
      }
    });

    const authRateLimit = rateLimit({
      windowMs: <someSmallerValue>,
      limit: <SmallerLimit>,
      validate: {
        creationStack: false
      }
    });

[redevill]

Here is the stack.
Not sure why it indicates creation as part of the authentication, as the piece of code above is registered at start up time with the all the routes on the server. Those two are registered 2nd and 3rd respectively.

Thank you for your attention.
Et

ValidationError: express-rate-limit instance should be created at app initialization, not when responding to a request. See https://express-rate-limit.github.io/ERR_ERL_CREATED_IN_REQUEST_HANDLER/ for more information.
    at Object.creationStack (/home/ubuntu/dev/<appName>/node_modules/express-rate-limit/dist/index.cjs:308:13)
    at Object.wrappedValidations.<computed> [as creationStack] (/home/ubuntu/dev/<appName>/node_modules/express-rate-limit/dist/index.cjs:338:22)
    at rateLimit (/home/ubuntu/dev/<appName>/node_modules/express-rate-limit/dist/index.cjs:633:22)
    at new SecurityHandlers (/home/ubuntu/dev/<appName>/server/securityMiddleware/security.handlers.ts:20:39)
    at /home/ubuntu/dev/<appName>/server/routes.ts:36:7
    at Layer.handle [as handle_request] (/home/ubuntu/dev/<appName>/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/home/ubuntu/dev/<appName>/node_modules/express/lib/router/index.js:328:13)
    at /home/ubuntu/dev/<appName>/node_modules/express/lib/router/index.js:286:9
    at param (/home/ubuntu/dev/<appName>/node_modules/express/lib/router/index.js:365:14)
    at param (/home/ubuntu/dev/<appName>/node_modules/express/lib/router/index.js:376:14)
    at Function.process_params (/home/ubuntu/dev/<appName>/node_modules/express/lib/router/index.js:421:3)
    at next (/home/ubuntu/dev/<appName>/node_modules/express/lib/router/index.js:280:10)
    at SessionStrategy.strategy.pass (/home/ubuntu/dev/<appName>/node_modules/passport/lib/middleware/authenticate.js:346:9)
    at SessionStrategy.authenticate (/home/ubuntu/dev/<appName>/node_modules/passport/lib/strategies/session.js:75:10)
    at attempt (/home/ubuntu/dev/<appName>/node_modules/passport/lib/middleware/authenticate.js:369:16)
    at authenticate (/home/ubuntu/dev/<appName>/node_modules/passport/lib/middleware/authenticate.js:370:7) {
  code: 'ERR_ERL_CREATED_IN_REQUEST_HANDLER',
  help: 'https://express-rate-limit.github.io/ERR_ERL_CREATED_IN_REQUEST_HANDLER/'
}

[nfriedly]

What's at and around line 36 in your /home/ubuntu/dev/<appName>/server/routes.ts?

Also, I'm a little perplexed as to how passport's authenticate function is the last item in the stack trace - is it getting called in a setTimeout or process.nextTick or something along those lines?

[nfriedly]

Just checking back in, did you make any progress on this? If not, could you share the snippet of your routs.ts, around line 36?

[redevill]

Sorry was sick - catching up.
You are right, something not right. The Passport authenticate is set up in the middleware to be called with each request. This set up line is 36 mentioned above. I would not expect any Passport activity before this point. Trace shows otherwise.