baarkerlounger
/
submit-social-housing-lettings-and-sales-data
mirror of https://github.com/communitiesuk/submit-social-housing-lettings-and-sales-data.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add rack attack config for reset password

pull/356/head
Kat 3 years ago
parent
66bb4ba383
commit
2d1cd8442f
2 changed files with 40 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      config/initializers/rack_attack.rb
  2. 39
      spec/requests/rack_attack_spec.rb

8
config/initializers/rack_attack.rb
Unescape View File

@ -0,0 +1,8 @@
Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
Rack::Attack.enabled = false
Rack::Attack.throttle("password reset requests", limit: 5, period: 60.seconds) do |request|
if request.params["user"].present? && request.path == "/users/password" && request.post?
request.params["user"]["email"].to_s.downcase.gsub(/\s+/, "")
end
end

39
spec/requests/rack_attack_spec.rb
Unescape View File

@ -11,20 +11,24 @@ describe "Rack::Attack" do
let(:notify_client) { instance_double(Notifications::Client) }
let(:devise_notify_mailer) { DeviseNotifyMailer.new }
let(:params) { { user: { email: } } }
let(:user) { FactoryBot.create(:user) }
let(:email) { user.email }
before do
Rack::Attack.enabled = false
Rack::Attack.enabled = true
allow(DeviseNotifyMailer).to receive(:new).and_return(devise_notify_mailer)
allow(devise_notify_mailer).to receive(:notify_client).and_return(notify_client)
allow(notify_client).to receive(:send_email).and_return(true)
end
context "when a regular user" do
let(:params) { { user: { email: } } }
context "when a password reset is requested for a valid email" do
let(:user) { FactoryBot.create(:user) }
let(:email) { user.email }
after do
Rack::Attack.enabled = false
Rack::Attack.reset!
end
context "when a password reset is requested" do
context "when the number of requests is under the throttle limit" do
it "does not throttle" do
under_limit.times do
post "/users/password", params: params
@ -34,5 +38,26 @@ describe "Rack::Attack" do
expect(last_response.status).to eq(200)
end
end
context "when the number of requests is at the throttle limit" do
it "does not throttle" do
limit.times do
post "/users/password", params: params
follow_redirect!
end
last_response = response
expect(last_response.status).to eq(200)
end
end
context "when the number of requests is over the throttle limit" do
it "throttles" do
over_limit.times do
post "/users/password", params: params
end
last_response = response
expect(last_response.status).to eq(429)
end
end
end
end

Write Preview
Loading…
Cancel
Save