2024-04-29 00:17:15 +02:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2019-08-01 17:12:59 +02:00
|
|
|
describe Rack::Attack, type: :request do
|
|
|
|
let(:limit) { 5 }
|
|
|
|
let(:period) { 20 }
|
|
|
|
let(:ip) { "1.2.3.4" }
|
|
|
|
|
|
|
|
before(:each) do
|
2019-08-19 15:15:50 +02:00
|
|
|
ENV['RACK_ATTACK_ENABLE'] = 'true'
|
2019-08-01 17:12:59 +02:00
|
|
|
setup_rack_attack_cache_store
|
|
|
|
avoid_test_overlaps_in_cache
|
|
|
|
end
|
|
|
|
|
2019-08-19 15:15:50 +02:00
|
|
|
after do
|
|
|
|
ENV['RACK_ATTACK_ENABLE'] = 'false'
|
|
|
|
end
|
|
|
|
|
2019-08-01 17:12:59 +02:00
|
|
|
def setup_rack_attack_cache_store
|
|
|
|
Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
|
|
|
|
end
|
|
|
|
|
|
|
|
def avoid_test_overlaps_in_cache
|
|
|
|
Rails.cache.clear
|
|
|
|
end
|
|
|
|
|
|
|
|
context '/users/sign_in' do
|
|
|
|
before do
|
|
|
|
limit.times do
|
|
|
|
Rack::Attack.cache.count("/users/sign_in/ip:#{ip}", period)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
subject do
|
|
|
|
post "/users/sign_in", headers: { 'X-Forwarded-For': ip }
|
|
|
|
end
|
|
|
|
|
|
|
|
it "throttle excessive requests by IP address" do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(response).to have_http_status(:too_many_requests)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the ip is whitelisted' do
|
|
|
|
before do
|
|
|
|
allow(IPService).to receive(:ip_trusted?).and_return(true)
|
|
|
|
allow_any_instance_of(Users::SessionsController).to receive(:create).and_return(:ok)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "respects the whitelist" do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(response).not_to have_http_status(:too_many_requests)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|