about summary refs log tree commit diff
path: root/spec
diff options
context:
space:
mode:
authorClaire <claire.github-309c@sitedethib.com>2022-11-14 20:27:31 +0100
committerClaire <claire.github-309c@sitedethib.com>2022-11-14 20:27:31 +0100
commit767630be24221e69336e639889a84a380aa9c4f4 (patch)
tree24bc62666b942c4c1763864fb4403414f7c5f8d4 /spec
parenta34aa2a5f99200f313942af60ead3d5805de3998 (diff)
parent21fd25a269cca742af431f0d13299e139f267346 (diff)
Merge branch 'main' into glitch-soc/merge-upstream
Conflicts:
- `Gemfile`:
  Upstream removed blank lines.
Diffstat (limited to 'spec')
-rw-r--r--spec/config/initializers/rack_attack_spec.rb82
1 files changed, 82 insertions, 0 deletions
diff --git a/spec/config/initializers/rack_attack_spec.rb b/spec/config/initializers/rack_attack_spec.rb
new file mode 100644
index 000000000..581021cb9
--- /dev/null
+++ b/spec/config/initializers/rack_attack_spec.rb
@@ -0,0 +1,82 @@
+require 'rails_helper'
+
+describe Rack::Attack do
+  include Rack::Test::Methods
+
+  def app
+    Rails.application
+  end
+
+  shared_examples 'throttled endpoint' do
+    context 'when the number of requests is lower than the limit' do
+      it 'does not change the request status' do
+        limit.times do
+          request.call
+          expect(last_response.status).to_not eq(429)
+        end
+      end
+    end
+
+    context 'when the number of requests is higher than the limit' do
+      it 'returns http too many requests' do
+        (limit * 2).times do |i|
+          request.call
+          expect(last_response.status).to eq(429) if i > limit
+        end
+      end
+    end
+  end
+
+  let(:remote_ip) { '1.2.3.5' }
+
+  describe 'throttle excessive sign-up requests by IP address' do
+    context 'through the website' do
+      let(:limit) { 25 }
+      let(:request) { ->() { post path, {}, 'REMOTE_ADDR' => remote_ip } }
+
+      context 'for exact path' do
+        let(:path)  { '/auth' }
+        it_behaves_like 'throttled endpoint'
+      end
+
+      context 'for path with format' do
+        let(:path)  { '/auth.html' }
+        it_behaves_like 'throttled endpoint'
+      end
+    end
+
+    context 'through the API' do
+      let(:limit) { 5 }
+      let(:request) { ->() { post path, {}, 'REMOTE_ADDR' => remote_ip } }
+
+      context 'for exact path' do
+        let(:path)  { '/api/v1/accounts' }
+        it_behaves_like 'throttled endpoint'
+      end
+
+      context 'for path with format' do
+        let(:path)  { '/api/v1/accounts.json' }
+
+        it 'returns http not found' do
+          request.call
+          expect(last_response.status).to eq(404)
+        end
+      end
+    end
+  end
+
+  describe 'throttle excessive sign-in requests by IP address' do
+    let(:limit) { 25 }
+    let(:request) { ->() { post path, {}, 'REMOTE_ADDR' => remote_ip } }
+
+    context 'for exact path' do
+      let(:path)  { '/auth/sign_in' }
+      it_behaves_like 'throttled endpoint'
+    end
+
+    context 'for path with format' do
+      let(:path)  { '/auth/sign_in.html' }
+      it_behaves_like 'throttled endpoint'
+    end
+  end
+end