about summary refs log tree commit diff
path: root/spec/config/initializers
diff options
context:
space:
mode:
Diffstat (limited to 'spec/config/initializers')
-rw-r--r--spec/config/initializers/rack_attack_spec.rb50
1 files changed, 38 insertions, 12 deletions
diff --git a/spec/config/initializers/rack_attack_spec.rb b/spec/config/initializers/rack_attack_spec.rb
index 581021cb9..cc931b21b 100644
--- a/spec/config/initializers/rack_attack_spec.rb
+++ b/spec/config/initializers/rack_attack_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rails_helper'
 
 describe Rack::Attack do
@@ -8,6 +10,17 @@ describe Rack::Attack do
   end
 
   shared_examples 'throttled endpoint' do
+    before do
+      # Rack::Attack periods are not rolling, so avoid flaky tests by setting the time in a way
+      # to avoid crossing period boundaries.
+
+      # The code Rack::Attack uses to set periods is the following:
+      # https://github.com/rack/rack-attack/blob/v6.6.1/lib/rack/attack/cache.rb#L64-L66
+      # So we want to minimize `Time.now.to_i % period`
+
+      travel_to Time.zone.at((Time.now.to_i / period.seconds).to_i * period.seconds)
+    end
+
     context 'when the number of requests is lower than the limit' do
       it 'does not change the request status' do
         limit.times do
@@ -18,11 +31,16 @@ describe Rack::Attack do
     end
 
     context 'when the number of requests is higher than the limit' do
-      it 'returns http too many requests' do
+      it 'returns http too many requests after limit and returns to normal status after period' do
         (limit * 2).times do |i|
           request.call
           expect(last_response.status).to eq(429) if i > limit
         end
+
+        travel period
+
+        request.call
+        expect(last_response.status).to_not eq(429)
       end
     end
   end
@@ -31,26 +49,31 @@ describe Rack::Attack do
 
   describe 'throttle excessive sign-up requests by IP address' do
     context 'through the website' do
-      let(:limit) { 25 }
-      let(:request) { ->() { post path, {}, 'REMOTE_ADDR' => remote_ip } }
+      let(:limit)  { 25 }
+      let(:period) { 5.minutes }
+      let(:request) { -> { post path, {}, 'REMOTE_ADDR' => remote_ip } }
 
       context 'for exact path' do
-        let(:path)  { '/auth' }
+        let(:path) { '/auth' }
+
         it_behaves_like 'throttled endpoint'
       end
 
       context 'for path with format' do
-        let(:path)  { '/auth.html' }
+        let(:path) { '/auth.html' }
+
         it_behaves_like 'throttled endpoint'
       end
     end
 
     context 'through the API' do
-      let(:limit) { 5 }
-      let(:request) { ->() { post path, {}, 'REMOTE_ADDR' => remote_ip } }
+      let(:limit)  { 5 }
+      let(:period) { 30.minutes }
+      let(:request) { -> { post path, {}, 'REMOTE_ADDR' => remote_ip } }
 
       context 'for exact path' do
-        let(:path)  { '/api/v1/accounts' }
+        let(:path) { '/api/v1/accounts' }
+
         it_behaves_like 'throttled endpoint'
       end
 
@@ -66,16 +89,19 @@ describe Rack::Attack do
   end
 
   describe 'throttle excessive sign-in requests by IP address' do
-    let(:limit) { 25 }
-    let(:request) { ->() { post path, {}, 'REMOTE_ADDR' => remote_ip } }
+    let(:limit)  { 25 }
+    let(:period) { 5.minutes }
+    let(:request) { -> { post path, {}, 'REMOTE_ADDR' => remote_ip } }
 
     context 'for exact path' do
-      let(:path)  { '/auth/sign_in' }
+      let(:path) { '/auth/sign_in' }
+
       it_behaves_like 'throttled endpoint'
     end
 
     context 'for path with format' do
-      let(:path)  { '/auth/sign_in.html' }
+      let(:path) { '/auth/sign_in.html' }
+
       it_behaves_like 'throttled endpoint'
     end
   end