Domovská stránka Prehľadávať Pomoc
Prihlásiť sa
RISCI_ATOM
/
mastodon
zrkadlo https://github.com/tootsuite/mastodon.git
1
0
Fork 0
Súbory Issues 8 Wiki
Strom: 84cc805cae
Branche Tagy
mastodon
/
spec
/
config
/
initializers
/
rack_attack_spec.rb

rack_attack_spec.rb 2.1 KB
História Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889 
  1. # frozen_string_literal: true
    2. 

  2. 

  3. require 'rails_helper'
    4. 

  4. 

  5. describe Rack::Attack do
    6. 

  6.   include Rack::Test::Methods
    7. 

  7. 

  8.   def app
    9. 

  9.     Rails.application
    10. 

  10.   end
    11. 

  11. 

  12.   shared_examples 'throttled endpoint' do
    13. 

  13.     context 'when the number of requests is lower than the limit' do
    14. 

  14.       it 'does not change the request status' do
    15. 

  15.         limit.times do
    16. 

  16.           request.call
    17. 

  17.           expect(last_response.status).to_not eq(429)
    18. 

  18.         end
    19. 

  19.       end
    20. 

  20.     end
    21. 

  21. 

  22.     context 'when the number of requests is higher than the limit' do
    23. 

  23.       it 'returns http too many requests' do
    24. 

  24.         (limit * 2).times do |i|
    25. 

  25.           request.call
    26. 

  26.           expect(last_response.status).to eq(429) if i > limit
    27. 

  27.         end
    28. 

  28.       end
    29. 

  29.     end
    30. 

  30.   end
    31. 

  31. 

  32.   let(:remote_ip) { '1.2.3.5' }
    33. 

  33. 

  34.   describe 'throttle excessive sign-up requests by IP address' do
    35. 

  35.     context 'through the website' do
    36. 

  36.       let(:limit) { 25 }
    37. 

  37.       let(:request) { -> { post path, {}, 'REMOTE_ADDR' => remote_ip } }
    38. 

  38. 

  39.       context 'for exact path' do
    40. 

  40.         let(:path) { '/auth' }
    41. 

  41. 

  42.         it_behaves_like 'throttled endpoint'
    43. 

  43.       end
    44. 

  44. 

  45.       context 'for path with format' do
    46. 

  46.         let(:path) { '/auth.html' }
    47. 

  47. 

  48.         it_behaves_like 'throttled endpoint'
    49. 

  49.       end
    50. 

  50.     end
    51. 

  51. 

  52.     context 'through the API' do
    53. 

  53.       let(:limit) { 5 }
    54. 

  54.       let(:request) { -> { post path, {}, 'REMOTE_ADDR' => remote_ip } }
    55. 

  55. 

  56.       context 'for exact path' do
    57. 

  57.         let(:path) { '/api/v1/accounts' }
    58. 

  58. 

  59.         it_behaves_like 'throttled endpoint'
    60. 

  60.       end
    61. 

  61. 

  62.       context 'for path with format' do
    63. 

  63.         let(:path)  { '/api/v1/accounts.json' }
    64. 

  64. 

  65.         it 'returns http not found' do
    66. 

  66.           request.call
    67. 

  67.           expect(last_response.status).to eq(404)
    68. 

  68.         end
    69. 

  69.       end
    70. 

  70.     end
    71. 

  71.   end
    72. 

  72. 

  73.   describe 'throttle excessive sign-in requests by IP address' do
    74. 

  74.     let(:limit) { 25 }
    75. 

  75.     let(:request) { -> { post path, {}, 'REMOTE_ADDR' => remote_ip } }
    76. 

  76. 

  77.     context 'for exact path' do
    78. 

  78.       let(:path) { '/auth/sign_in' }
    79. 

  79. 

  80.       it_behaves_like 'throttled endpoint'
    81. 

  81.     end
    82. 

  82. 

  83.     context 'for path with format' do
    84. 

  84.       let(:path) { '/auth/sign_in.html' }
    85. 

  85. 

  86.       it_behaves_like 'throttled endpoint'
    87. 

  87.     end
    88. 

  88.   end
    89. 

  89. end
    90.