From 99242b92bcc1965b2a72c01216bce7c232322f15 Mon Sep 17 00:00:00 2001 From: abcang Date: Sat, 9 Dec 2017 10:31:37 +0900 Subject: Keep WebPush settings (#5879) --- .../api/web/push_subscriptions_controller_spec.rb | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'spec/controllers') diff --git a/spec/controllers/api/web/push_subscriptions_controller_spec.rb b/spec/controllers/api/web/push_subscriptions_controller_spec.rb index 7e83b801d..bbf94c5c6 100644 --- a/spec/controllers/api/web/push_subscriptions_controller_spec.rb +++ b/spec/controllers/api/web/push_subscriptions_controller_spec.rb @@ -48,6 +48,23 @@ describe Api::Web::PushSubscriptionsController do expect(push_subscription['key_p256dh']).to eq(create_payload[:subscription][:keys][:p256dh]) expect(push_subscription['key_auth']).to eq(create_payload[:subscription][:keys][:auth]) end + + context 'with initial data' do + it 'saves alert settings' do + sign_in(user) + + stub_request(:post, create_payload[:subscription][:endpoint]).to_return(status: 200) + + post :create, format: :json, params: create_payload.merge(alerts_payload) + + push_subscription = Web::PushSubscription.find_by(endpoint: create_payload[:subscription][:endpoint]) + + expect(push_subscription.data['follow']).to eq(alerts_payload[:data][:follow]) + expect(push_subscription.data['favourite']).to eq(alerts_payload[:data][:favourite]) + expect(push_subscription.data['reblog']).to eq(alerts_payload[:data][:reblog]) + expect(push_subscription.data['mention']).to eq(alerts_payload[:data][:mention]) + end + end end describe 'PUT #update' do -- cgit From a865b62efc0f7025f789f4413a03ccacd57db7bb Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Sat, 9 Dec 2017 14:20:02 +0100 Subject: Rate limit by user instead of IP when API user is authenticated (#5923) * Fix #668 - Rate limit by user instead of IP when API user is authenticated * Fix code style issue * Use request decorator provided by Doorkeeper --- app/controllers/concerns/rate_limit_headers.rb | 3 +- config/initializers/rack_attack.rb | 55 ++++++++++++++++------ .../concerns/rate_limit_headers_spec.rb | 2 +- 3 files changed, 44 insertions(+), 16 deletions(-) (limited to 'spec/controllers') diff --git a/app/controllers/concerns/rate_limit_headers.rb b/app/controllers/concerns/rate_limit_headers.rb index 36cb91075..ac9b58f5d 100644 --- a/app/controllers/concerns/rate_limit_headers.rb +++ b/app/controllers/concerns/rate_limit_headers.rb @@ -44,7 +44,8 @@ module RateLimitHeaders end def api_throttle_data - request.env['rack.attack.throttle_data']['api'] + request.env['rack.attack.throttle_data']['throttle_authenticated_api'] || + request.env['rack.attack.throttle_data']['throttle_unauthenticated_api'] end def request_time diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb index 53cb106ca..fddcbc52c 100644 --- a/config/initializers/rack_attack.rb +++ b/config/initializers/rack_attack.rb @@ -1,6 +1,41 @@ # frozen_string_literal: true class Rack::Attack + class Request + def authenticated_token + return @token if defined?(@token) + + @token = Doorkeeper::OAuth::Token.authenticate( + Doorkeeper::Grape::AuthorizationDecorator.new(self), + *Doorkeeper.configuration.access_token_methods + ) + end + + def authenticated_user_id + authenticated_token&.resource_owner_id + end + + def unauthenticated? + !authenticated_user_id + end + + def api_request? + path.start_with?('/api') + end + + def web_request? + !api_request? + end + end + + PROTECTED_PATHS = %w( + /auth/sign_in + /auth + /auth/password + ).freeze + + PROTECTED_PATHS_REGEX = Regexp.union(PROTECTED_PATHS.map { |path| /\A#{Regexp.escape(path)}/ }) + # Always allow requests from localhost # (blocklist & throttles are skipped) Rack::Attack.safelist('allow from localhost') do |req| @@ -8,24 +43,16 @@ class Rack::Attack '127.0.0.1' == req.ip || '::1' == req.ip end - # Rate limits for the API - throttle('api', limit: 300, period: 5.minutes) do |req| - req.ip if req.path =~ /\A\/api\/v/ - end - - # Rate limit logins - throttle('login', limit: 5, period: 5.minutes) do |req| - req.ip if req.path == '/auth/sign_in' && req.post? + throttle('throttle_authenticated_api', limit: 300, period: 5.minutes) do |req| + req.api_request? && req.authenticated_user_id end - # Rate limit sign-ups - throttle('register', limit: 5, period: 5.minutes) do |req| - req.ip if req.path == '/auth' && req.post? + throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req| + req.ip if req.api_request? && req.unauthenticated? end - # Rate limit forgotten passwords - throttle('reminder', limit: 5, period: 5.minutes) do |req| - req.ip if req.path == '/auth/password' && req.post? + throttle('protected_paths', limit: 5, period: 5.minutes) do |req| + req.ip if req.post? && req.path =~ PROTECTED_PATHS_REGEX end self.throttled_response = lambda do |env| diff --git a/spec/controllers/concerns/rate_limit_headers_spec.rb b/spec/controllers/concerns/rate_limit_headers_spec.rb index 719978dc2..00a9a2080 100644 --- a/spec/controllers/concerns/rate_limit_headers_spec.rb +++ b/spec/controllers/concerns/rate_limit_headers_spec.rb @@ -34,7 +34,7 @@ describe ApplicationController do let(:start_time) { DateTime.new(2017, 1, 1, 12, 0, 0).utc } before do - request.env['rack.attack.throttle_data'] = { 'api' => { limit: 100, count: 20, period: 10 } } + request.env['rack.attack.throttle_data'] = { 'throttle_authenticated_api' => { limit: 100, count: 20, period: 10 } } travel_to start_time do get 'show' end -- cgit From 1356ed72cd4f595e93a5fa23fd8d7459fc8f81b3 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 12 Dec 2017 03:55:39 +0100 Subject: Fix #5953 - Add GET /api/v1/accounts/:id/lists (#5983) --- .../api/v1/accounts/lists_controller.rb | 20 +++++++++++++++++++ config/routes.rb | 1 + .../api/v1/accounts/lists_controller_spec.rb | 23 ++++++++++++++++++++++ 3 files changed, 44 insertions(+) create mode 100644 app/controllers/api/v1/accounts/lists_controller.rb create mode 100644 spec/controllers/api/v1/accounts/lists_controller_spec.rb (limited to 'spec/controllers') diff --git a/app/controllers/api/v1/accounts/lists_controller.rb b/app/controllers/api/v1/accounts/lists_controller.rb new file mode 100644 index 000000000..a7ba89ce2 --- /dev/null +++ b/app/controllers/api/v1/accounts/lists_controller.rb @@ -0,0 +1,20 @@ +# frozen_string_literal: true + +class Api::V1::Accounts::ListsController < Api::BaseController + before_action -> { doorkeeper_authorize! :read } + before_action :require_user! + before_action :set_account + + respond_to :json + + def index + @lists = @account.lists.where(account: current_account) + render json: @lists, each_serializer: REST::ListSerializer + end + + private + + def set_account + @account = Account.find(params[:account_id]) + end +end diff --git a/config/routes.rb b/config/routes.rb index 6313a355d..467849c03 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -269,6 +269,7 @@ Rails.application.routes.draw do resources :statuses, only: :index, controller: 'accounts/statuses' resources :followers, only: :index, controller: 'accounts/follower_accounts' resources :following, only: :index, controller: 'accounts/following_accounts' + resources :lists, only: :index, controller: 'accounts/lists' member do post :follow diff --git a/spec/controllers/api/v1/accounts/lists_controller_spec.rb b/spec/controllers/api/v1/accounts/lists_controller_spec.rb new file mode 100644 index 000000000..0a372f65b --- /dev/null +++ b/spec/controllers/api/v1/accounts/lists_controller_spec.rb @@ -0,0 +1,23 @@ +require 'rails_helper' + +describe Api::V1::Accounts::ListsController do + render_views + + let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } + let(:account) { Fabricate(:account) } + let(:list) { Fabricate(:list, account: user.account) } + + before do + allow(controller).to receive(:doorkeeper_token) { token } + user.account.follow!(account) + list.accounts << account + end + + describe 'GET #index' do + it 'returns http success' do + get :index, params: { account_id: account.id } + expect(response).to have_http_status(:success) + end + end +end -- cgit