2023-02-22 11:55:31 +11:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2022-11-15 06:26:31 +11:00
|
|
|
require 'rails_helper'
|
|
|
|
|
2024-09-04 15:12:25 +10:00
|
|
|
RSpec.describe Rack::Attack, type: :request do
|
2022-11-15 06:26:31 +11:00
|
|
|
def app
|
|
|
|
Rails.application
|
|
|
|
end
|
|
|
|
|
|
|
|
shared_examples 'throttled endpoint' do
|
2023-02-22 20:28:52 +11:00
|
|
|
before do
|
|
|
|
# Rack::Attack periods are not rolling, so avoid flaky tests by setting the time in a way
|
|
|
|
# to avoid crossing period boundaries.
|
|
|
|
|
|
|
|
# The code Rack::Attack uses to set periods is the following:
|
2024-03-12 02:14:55 +11:00
|
|
|
# https://github.com/rack/rack-attack/blob/v6.7.0/lib/rack/attack/cache.rb#L70-L72
|
2023-02-22 20:28:52 +11:00
|
|
|
# So we want to minimize `Time.now.to_i % period`
|
|
|
|
|
2023-10-14 01:14:23 +11:00
|
|
|
travel_to Time.zone.at(counter_prefix * period.seconds)
|
2023-02-22 20:28:52 +11:00
|
|
|
end
|
|
|
|
|
2022-11-15 06:26:31 +11:00
|
|
|
context 'when the number of requests is lower than the limit' do
|
2023-10-14 01:14:23 +11:00
|
|
|
before do
|
|
|
|
below_limit.times { increment_counter }
|
|
|
|
end
|
|
|
|
|
2022-11-15 06:26:31 +11:00
|
|
|
it 'does not change the request status' do
|
2023-10-14 01:14:23 +11:00
|
|
|
expect { request.call }.to change { throttle_count }.by(1)
|
|
|
|
|
|
|
|
expect(response).to_not have_http_status(429)
|
2022-11-15 06:26:31 +11:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the number of requests is higher than the limit' do
|
2023-10-14 01:14:23 +11:00
|
|
|
before do
|
|
|
|
above_limit.times { increment_counter }
|
|
|
|
end
|
|
|
|
|
2023-02-22 20:28:52 +11:00
|
|
|
it 'returns http too many requests after limit and returns to normal status after period' do
|
2023-10-14 01:14:23 +11:00
|
|
|
expect { request.call }.to change { throttle_count }.by(1)
|
|
|
|
expect(response).to have_http_status(429)
|
2023-02-22 20:28:52 +11:00
|
|
|
|
|
|
|
travel period
|
|
|
|
|
2023-10-14 01:14:23 +11:00
|
|
|
expect { request.call }.to change { throttle_count }.by(1)
|
2023-04-30 14:43:28 +10:00
|
|
|
expect(response).to_not have_http_status(429)
|
2022-11-15 06:26:31 +11:00
|
|
|
end
|
|
|
|
end
|
2023-10-14 01:14:23 +11:00
|
|
|
|
|
|
|
def below_limit
|
|
|
|
limit - 1
|
|
|
|
end
|
|
|
|
|
|
|
|
def above_limit
|
|
|
|
limit * 2
|
|
|
|
end
|
|
|
|
|
|
|
|
def throttle_count
|
2024-05-30 22:14:04 +10:00
|
|
|
described_class.cache.read("#{counter_prefix}:#{throttle}:#{discriminator}") || 0
|
2023-10-14 01:14:23 +11:00
|
|
|
end
|
|
|
|
|
|
|
|
def counter_prefix
|
|
|
|
(Time.now.to_i / period.seconds).to_i
|
|
|
|
end
|
|
|
|
|
|
|
|
def increment_counter
|
2024-05-30 22:14:04 +10:00
|
|
|
described_class.cache.count("#{throttle}:#{discriminator}", period)
|
2023-10-14 01:14:23 +11:00
|
|
|
end
|
2022-11-15 06:26:31 +11:00
|
|
|
end
|
|
|
|
|
|
|
|
let(:remote_ip) { '1.2.3.5' }
|
2024-05-30 22:14:04 +10:00
|
|
|
let(:discriminator) { remote_ip }
|
2022-11-15 06:26:31 +11:00
|
|
|
|
|
|
|
describe 'throttle excessive sign-up requests by IP address' do
|
2023-05-04 13:49:08 +10:00
|
|
|
context 'when accessed through the website' do
|
2023-10-14 01:14:23 +11:00
|
|
|
let(:throttle) { 'throttle_sign_up_attempts/ip' }
|
2023-02-22 20:28:52 +11:00
|
|
|
let(:limit) { 25 }
|
|
|
|
let(:period) { 5.minutes }
|
2023-04-30 14:43:28 +10:00
|
|
|
let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }
|
2022-11-15 06:26:31 +11:00
|
|
|
|
2023-05-04 13:49:08 +10:00
|
|
|
context 'with exact path' do
|
2023-02-18 08:56:20 +11:00
|
|
|
let(:path) { '/auth' }
|
2023-02-19 09:10:19 +11:00
|
|
|
|
2022-11-15 06:26:31 +11:00
|
|
|
it_behaves_like 'throttled endpoint'
|
|
|
|
end
|
|
|
|
|
2023-05-04 13:49:08 +10:00
|
|
|
context 'with path with format' do
|
2023-02-18 08:56:20 +11:00
|
|
|
let(:path) { '/auth.html' }
|
2023-02-19 09:10:19 +11:00
|
|
|
|
2022-11-15 06:26:31 +11:00
|
|
|
it_behaves_like 'throttled endpoint'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2023-05-04 13:49:08 +10:00
|
|
|
context 'when accessed through the API' do
|
2023-10-14 01:14:23 +11:00
|
|
|
let(:throttle) { 'throttle_api_sign_up' }
|
2023-02-22 20:28:52 +11:00
|
|
|
let(:limit) { 5 }
|
|
|
|
let(:period) { 30.minutes }
|
2023-04-30 14:43:28 +10:00
|
|
|
let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }
|
2022-11-15 06:26:31 +11:00
|
|
|
|
2023-05-04 13:49:08 +10:00
|
|
|
context 'with exact path' do
|
2023-02-18 08:56:20 +11:00
|
|
|
let(:path) { '/api/v1/accounts' }
|
2023-02-19 09:10:19 +11:00
|
|
|
|
2022-11-15 06:26:31 +11:00
|
|
|
it_behaves_like 'throttled endpoint'
|
|
|
|
end
|
|
|
|
|
2023-05-04 13:49:08 +10:00
|
|
|
context 'with path with format' do
|
2022-11-15 06:26:31 +11:00
|
|
|
let(:path) { '/api/v1/accounts.json' }
|
|
|
|
|
|
|
|
it 'returns http not found' do
|
|
|
|
request.call
|
2023-04-30 14:43:28 +10:00
|
|
|
expect(response).to have_http_status(404)
|
2022-11-15 06:26:31 +11:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'throttle excessive sign-in requests by IP address' do
|
2023-10-14 01:14:23 +11:00
|
|
|
let(:throttle) { 'throttle_login_attempts/ip' }
|
2023-02-22 20:28:52 +11:00
|
|
|
let(:limit) { 25 }
|
|
|
|
let(:period) { 5.minutes }
|
2023-04-30 14:43:28 +10:00
|
|
|
let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }
|
2022-11-15 06:26:31 +11:00
|
|
|
|
2023-05-04 13:49:08 +10:00
|
|
|
context 'with exact path' do
|
2023-02-18 08:56:20 +11:00
|
|
|
let(:path) { '/auth/sign_in' }
|
2023-02-19 09:10:19 +11:00
|
|
|
|
2022-11-15 06:26:31 +11:00
|
|
|
it_behaves_like 'throttled endpoint'
|
|
|
|
end
|
|
|
|
|
2023-05-04 13:49:08 +10:00
|
|
|
context 'with path with format' do
|
2023-02-18 08:56:20 +11:00
|
|
|
let(:path) { '/auth/sign_in.html' }
|
2023-02-19 09:10:19 +11:00
|
|
|
|
2022-11-15 06:26:31 +11:00
|
|
|
it_behaves_like 'throttled endpoint'
|
|
|
|
end
|
|
|
|
end
|
2024-05-30 00:00:05 +10:00
|
|
|
|
|
|
|
describe 'throttle excessive oauth application registration requests by IP address' do
|
|
|
|
let(:throttle) { 'throttle_oauth_application_registrations/ip' }
|
|
|
|
let(:limit) { 5 }
|
|
|
|
let(:period) { 10.minutes }
|
|
|
|
let(:path) { '/api/v1/apps' }
|
|
|
|
let(:params) do
|
|
|
|
{
|
|
|
|
client_name: 'Throttle Test',
|
|
|
|
redirect_uris: 'urn:ietf:wg:oauth:2.0:oob',
|
|
|
|
scopes: 'read',
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
let(:request) { -> { post path, params: params, headers: { 'REMOTE_ADDR' => remote_ip } } }
|
|
|
|
|
|
|
|
it_behaves_like 'throttled endpoint'
|
|
|
|
end
|
2024-05-30 22:14:04 +10:00
|
|
|
|
|
|
|
describe 'throttle excessive password change requests by account' do
|
|
|
|
let(:user) { Fabricate(:user, email: 'user@host.example') }
|
|
|
|
let(:throttle) { 'throttle_password_change/account' }
|
|
|
|
let(:limit) { 10 }
|
|
|
|
let(:period) { 10.minutes }
|
|
|
|
let(:request) { -> { put path, headers: { 'REMOTE_ADDR' => remote_ip } } }
|
|
|
|
let(:path) { '/auth' }
|
|
|
|
let(:discriminator) { user.id }
|
|
|
|
|
|
|
|
before do
|
|
|
|
sign_in user, scope: :user
|
|
|
|
|
|
|
|
# Unfortunately, devise's `sign_in` helper causes the `session` to be
|
|
|
|
# loaded in the next request regardless of whether it's actually accessed
|
|
|
|
# by the client code.
|
|
|
|
#
|
|
|
|
# So, we make an extra query to clear issue a session cookie instead.
|
|
|
|
#
|
|
|
|
# A less resource-intensive way to deal with that would be to generate the
|
|
|
|
# session cookie manually, but this seems pretty involved.
|
|
|
|
get '/'
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'throttled endpoint'
|
|
|
|
end
|
2022-11-15 06:26:31 +11:00
|
|
|
end
|