diff options
author | Claire <claire.github-309c@sitedethib.com> | 2023-02-22 10:28:52 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-02-22 10:28:52 +0100 |
commit | 3ed1b9ebb60a50ea1cb6a229ab25d4e7d6b848c8 (patch) | |
tree | 16b39aa13709db220e9436e2fae89ea543e0c45d /spec/config/initializers | |
parent | 4ff44be1348136fa602318cca343e716fea0e556 (diff) |
Fix rack:attack flaky tests and test end of throttle period (#23799)
Diffstat (limited to 'spec/config/initializers')
-rw-r--r-- | spec/config/initializers/rack_attack_spec.rb | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/spec/config/initializers/rack_attack_spec.rb b/spec/config/initializers/rack_attack_spec.rb index 2cfe90b1a..cc931b21b 100644 --- a/spec/config/initializers/rack_attack_spec.rb +++ b/spec/config/initializers/rack_attack_spec.rb @@ -10,6 +10,17 @@ describe Rack::Attack do end shared_examples 'throttled endpoint' do + before do + # Rack::Attack periods are not rolling, so avoid flaky tests by setting the time in a way + # to avoid crossing period boundaries. + + # The code Rack::Attack uses to set periods is the following: + # https://github.com/rack/rack-attack/blob/v6.6.1/lib/rack/attack/cache.rb#L64-L66 + # So we want to minimize `Time.now.to_i % period` + + travel_to Time.zone.at((Time.now.to_i / period.seconds).to_i * period.seconds) + end + context 'when the number of requests is lower than the limit' do it 'does not change the request status' do limit.times do @@ -20,11 +31,16 @@ describe Rack::Attack do end context 'when the number of requests is higher than the limit' do - it 'returns http too many requests' do + it 'returns http too many requests after limit and returns to normal status after period' do (limit * 2).times do |i| request.call expect(last_response.status).to eq(429) if i > limit end + + travel period + + request.call + expect(last_response.status).to_not eq(429) end end end @@ -33,7 +49,8 @@ describe Rack::Attack do describe 'throttle excessive sign-up requests by IP address' do context 'through the website' do - let(:limit) { 25 } + let(:limit) { 25 } + let(:period) { 5.minutes } let(:request) { -> { post path, {}, 'REMOTE_ADDR' => remote_ip } } context 'for exact path' do @@ -50,7 +67,8 @@ describe Rack::Attack do end context 'through the API' do - let(:limit) { 5 } + let(:limit) { 5 } + let(:period) { 30.minutes } let(:request) { -> { post path, {}, 'REMOTE_ADDR' => remote_ip } } context 'for exact path' do @@ -71,7 +89,8 @@ describe Rack::Attack do end describe 'throttle excessive sign-in requests by IP address' do - let(:limit) { 25 } + let(:limit) { 25 } + let(:period) { 5.minutes } let(:request) { -> { post path, {}, 'REMOTE_ADDR' => remote_ip } } context 'for exact path' do |