about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--spec/config/initializers/rack_attack_spec.rb27
1 files changed, 23 insertions, 4 deletions
diff --git a/spec/config/initializers/rack_attack_spec.rb b/spec/config/initializers/rack_attack_spec.rb
index 2cfe90b1a..cc931b21b 100644
--- a/spec/config/initializers/rack_attack_spec.rb
+++ b/spec/config/initializers/rack_attack_spec.rb
@@ -10,6 +10,17 @@ describe Rack::Attack do
   end
 
   shared_examples 'throttled endpoint' do
+    before do
+      # Rack::Attack periods are not rolling, so avoid flaky tests by setting the time in a way
+      # to avoid crossing period boundaries.
+
+      # The code Rack::Attack uses to set periods is the following:
+      # https://github.com/rack/rack-attack/blob/v6.6.1/lib/rack/attack/cache.rb#L64-L66
+      # So we want to minimize `Time.now.to_i % period`
+
+      travel_to Time.zone.at((Time.now.to_i / period.seconds).to_i * period.seconds)
+    end
+
     context 'when the number of requests is lower than the limit' do
       it 'does not change the request status' do
         limit.times do
@@ -20,11 +31,16 @@ describe Rack::Attack do
     end
 
     context 'when the number of requests is higher than the limit' do
-      it 'returns http too many requests' do
+      it 'returns http too many requests after limit and returns to normal status after period' do
         (limit * 2).times do |i|
           request.call
           expect(last_response.status).to eq(429) if i > limit
         end
+
+        travel period
+
+        request.call
+        expect(last_response.status).to_not eq(429)
       end
     end
   end
@@ -33,7 +49,8 @@ describe Rack::Attack do
 
   describe 'throttle excessive sign-up requests by IP address' do
     context 'through the website' do
-      let(:limit) { 25 }
+      let(:limit)  { 25 }
+      let(:period) { 5.minutes }
       let(:request) { -> { post path, {}, 'REMOTE_ADDR' => remote_ip } }
 
       context 'for exact path' do
@@ -50,7 +67,8 @@ describe Rack::Attack do
     end
 
     context 'through the API' do
-      let(:limit) { 5 }
+      let(:limit)  { 5 }
+      let(:period) { 30.minutes }
       let(:request) { -> { post path, {}, 'REMOTE_ADDR' => remote_ip } }
 
       context 'for exact path' do
@@ -71,7 +89,8 @@ describe Rack::Attack do
   end
 
   describe 'throttle excessive sign-in requests by IP address' do
-    let(:limit) { 25 }
+    let(:limit)  { 25 }
+    let(:period) { 5.minutes }
     let(:request) { -> { post path, {}, 'REMOTE_ADDR' => remote_ip } }
 
     context 'for exact path' do