attack_spec.rb 3.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134
  1. # frozen_string_literal: true
  2. require 'rails_helper'
  3. describe Rack::Attack, type: :request do
  4. def app
  5. Rails.application
  6. end
  7. shared_examples 'throttled endpoint' do
  8. before do
  9. # Rack::Attack periods are not rolling, so avoid flaky tests by setting the time in a way
  10. # to avoid crossing period boundaries.
  11. # The code Rack::Attack uses to set periods is the following:
  12. # https://github.com/rack/rack-attack/blob/v6.6.1/lib/rack/attack/cache.rb#L64-L66
  13. # So we want to minimize `Time.now.to_i % period`
  14. travel_to Time.zone.at(counter_prefix * period.seconds)
  15. end
  16. context 'when the number of requests is lower than the limit' do
  17. before do
  18. below_limit.times { increment_counter }
  19. end
  20. it 'does not change the request status' do
  21. expect { request.call }.to change { throttle_count }.by(1)
  22. expect(response).to_not have_http_status(429)
  23. end
  24. end
  25. context 'when the number of requests is higher than the limit' do
  26. before do
  27. above_limit.times { increment_counter }
  28. end
  29. it 'returns http too many requests after limit and returns to normal status after period' do
  30. expect { request.call }.to change { throttle_count }.by(1)
  31. expect(response).to have_http_status(429)
  32. travel period
  33. expect { request.call }.to change { throttle_count }.by(1)
  34. expect(response).to_not have_http_status(429)
  35. end
  36. end
  37. def below_limit
  38. limit - 1
  39. end
  40. def above_limit
  41. limit * 2
  42. end
  43. def throttle_count
  44. described_class.cache.read("#{counter_prefix}:#{throttle}:#{remote_ip}") || 0
  45. end
  46. def counter_prefix
  47. (Time.now.to_i / period.seconds).to_i
  48. end
  49. def increment_counter
  50. described_class.cache.count("#{throttle}:#{remote_ip}", period)
  51. end
  52. end
  53. let(:remote_ip) { '1.2.3.5' }
  54. describe 'throttle excessive sign-up requests by IP address' do
  55. context 'when accessed through the website' do
  56. let(:throttle) { 'throttle_sign_up_attempts/ip' }
  57. let(:limit) { 25 }
  58. let(:period) { 5.minutes }
  59. let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }
  60. context 'with exact path' do
  61. let(:path) { '/auth' }
  62. it_behaves_like 'throttled endpoint'
  63. end
  64. context 'with path with format' do
  65. let(:path) { '/auth.html' }
  66. it_behaves_like 'throttled endpoint'
  67. end
  68. end
  69. context 'when accessed through the API' do
  70. let(:throttle) { 'throttle_api_sign_up' }
  71. let(:limit) { 5 }
  72. let(:period) { 30.minutes }
  73. let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }
  74. context 'with exact path' do
  75. let(:path) { '/api/v1/accounts' }
  76. it_behaves_like 'throttled endpoint'
  77. end
  78. context 'with path with format' do
  79. let(:path) { '/api/v1/accounts.json' }
  80. it 'returns http not found' do
  81. request.call
  82. expect(response).to have_http_status(404)
  83. end
  84. end
  85. end
  86. end
  87. describe 'throttle excessive sign-in requests by IP address' do
  88. let(:throttle) { 'throttle_login_attempts/ip' }
  89. let(:limit) { 25 }
  90. let(:period) { 5.minutes }
  91. let(:request) { -> { post path, headers: { 'REMOTE_ADDR' => remote_ip } } }
  92. context 'with exact path' do
  93. let(:path) { '/auth/sign_in' }
  94. it_behaves_like 'throttled endpoint'
  95. end
  96. context 'with path with format' do
  97. let(:path) { '/auth/sign_in.html' }
  98. it_behaves_like 'throttled endpoint'
  99. end
  100. end
  101. end