RISCI_ATOM
/
mastodon
mirror de https://github.com/tootsuite/mastodon.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104
							require 'rails_helper'

describe Rack::Attack, type: :request do
  def app
    Rails.application
  end

  shared_examples 'throttled endpoint' do
    context 'when the number of requests is lower than the limit' do
      it 'does not change the request status' do
        limit.times do
          request.call
          expect(response.status).to_not eq(429)
        end
      end
    end

    context 'when the number of requests is higher than the limit' do
      it 'returns http too many requests' do
        (limit * 2).times do |i|
          request.call
          expect(response.status).to eq(429) if i > limit
        end
      end
    end
  end

  let(:remote_ip) { '1.2.3.5' }

  describe 'throttle excessive sign-up requests by IP address' do
    context 'through the website' do
      let(:limit) { 25 }
      let(:request) { ->() { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }

      context 'for exact path' do
        let(:path)  { '/auth' }
        it_behaves_like 'throttled endpoint'
      end

      context 'for path with format' do
        let(:path)  { '/auth.html' }
        it_behaves_like 'throttled endpoint'
      end
    end

    context 'through the API' do
      let(:limit) { 5 }
      let(:request) { ->() { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }

      context 'for exact path' do
        let(:path)  { '/api/v1/accounts' }
        it_behaves_like 'throttled endpoint'
      end

      context 'for path with format' do
        let(:path)  { '/api/v1/accounts.json' }

        it 'returns http not found' do
          request.call
          expect(response.status).to eq(404)
        end
      end
    end
  end

  describe 'throttle excessive sign-in requests by IP address' do
    let(:limit) { 25 }
    let(:request) { ->() { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }

    context 'for exact path' do
      let(:path)  { '/auth/sign_in' }
      it_behaves_like 'throttled endpoint'
    end

    context 'for path with format' do
      let(:path)  { '/auth/sign_in.html' }
      it_behaves_like 'throttled endpoint'
    end
  end

  describe 'throttle excessive password change requests by account' do
    let(:user) { Fabricate(:user, email: 'user@host.example') }
    let(:limit) { 10 }
    let(:period) { 10.minutes }
    let(:request) { -> { put path, headers: { 'REMOTE_ADDR' => remote_ip } } }
    let(:path) { '/auth' }

    before do
      sign_in user, scope: :user

      # Unfortunately, devise's `sign_in` helper causes the `session` to be
      # loaded in the next request regardless of whether it's actually accessed
      # by the client code.
      #
      # So, we make an extra query to clear issue a session cookie instead.
      #
      # A less resource-intensive way to deal with that would be to generate the
      # session cookie manually, but this seems pretty involved.
      get '/'
    end

    it_behaves_like 'throttled endpoint'
  end
end