I need to do a basic flooding control, nothing very sophisticated. I want to get source IP and delay the answer if they are requesting too many times in a short period. I saw that there is a req.ip field but also a package: https://www.npmjs.com/package/request-ip
What's the difference?
I suggest you to use the request-ip module, because it looks for specific headers in the request and falls back to some defaults if they do not exist.
The following is the order it uses to determine the user ip from the request.
X-Client-IPX-Forwarded-For header may return multiple IP addresses in the format: "client IP, proxy 1 IP, proxy 2 IP", so we take the the first one.CF-Connecting-IP (Cloudflare)Fastly-Client-IP (Fastly CDN and Firebase hosting header when forwared to a cloud function)True-Client-IP (Akamai and Cloudflare)X-Real-IP (nginx proxy/FastCGI)X-Cluster-Client-IP (Rackspace LB, Riverbed Stingray)X-Forwarded, Forwarded-For and Forwarded (Variations of #2)appengine-user-ip (Google App Engine)req.connection.remoteAddressreq.socket.remoteAddressreq.connection.socket.remoteAddressreq.info.remoteAddressCf-Pseudo-IPv4 (Cloudflare fallback)request.raw (Fastify)It permits to get the real client IP regardless of your web server configuration or proxy settings, or even the technology of the connection (HTTP, WebSocket...)
You can also take a look to the express req.ips (yes, ips, not req.ip) property to get more informations about the request:
req.ips (http://expressjs.com/en/api.html)
When the trust proxy setting does not evaluate to false, this property contains an array of IP addresses specified in the X-Forwarded-For request header. Otherwise, it contains an empty array. This header can be set by the client or by the proxy.
For example, if X-Forwarded-For is client, proxy1, proxy2, req.ips would be ["client", "proxy1", "proxy2"], where proxy2 is the furthest downstream.