From 4d44729f50bf76b1747a787ab79edc9196f1bb79 Mon Sep 17 00:00:00 2001 From: kosiakkatrina <54268893+kosiakkatrina@users.noreply.github.com> Date: Mon, 28 Mar 2022 12:01:28 +0100 Subject: [PATCH] Throttle admin password reset (#429) --- config/initializers/rack_attack.rb | 6 ++++ spec/requests/rack_attack_spec.rb | 47 ++++++++++++++++++++++++++++-- 2 files changed, 50 insertions(+), 3 deletions(-) diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb index 6f1335293..e130adc50 100644 --- a/config/initializers/rack_attack.rb +++ b/config/initializers/rack_attack.rb @@ -14,6 +14,12 @@ Rack::Attack.throttle("password reset requests", limit: 5, period: 60.seconds) d end end +Rack::Attack.throttle("admin password reset requests", limit: 5, period: 60.seconds) do |request| + if request.params["admin_user"].present? && request.path == "/admin/password" && request.post? + request.params["admin_user"]["email"].to_s.downcase.gsub(/\s+/, "") + end +end + Rack::Attack.throttled_responder = lambda do |_env| headers = { "Location" => "/429", diff --git a/spec/requests/rack_attack_spec.rb b/spec/requests/rack_attack_spec.rb index b030feb14..a7d4bd34c 100644 --- a/spec/requests/rack_attack_spec.rb +++ b/spec/requests/rack_attack_spec.rb @@ -12,8 +12,11 @@ describe "Rack::Attack" do let(:devise_notify_mailer) { DeviseNotifyMailer.new } let(:params) { { user: { email: } } } + let(:admin_params) { { admin_user: { email: admin_email } } } let(:user) { FactoryBot.create(:user) } + let(:admin_user) { FactoryBot.create(:admin_user) } let(:email) { user.email } + let(:admin_email) { admin_user.email } before do Rack::Attack.enabled = true @@ -29,7 +32,7 @@ describe "Rack::Attack" do context "when a password reset is requested" do context "when the number of requests is under the throttle limit" do - it "does not throttle" do + it "does not throttle for a regular user" do under_limit.times do post "/account/password", params: params follow_redirect! @@ -37,13 +40,42 @@ describe "Rack::Attack" do last_response = response expect(last_response.status).to eq(200) end + + it "does not throttle for an admin user" do + under_limit.times do + post "/admin/password", params: admin_params + follow_redirect! + end + last_response = response + expect(last_response.status).to eq(200) + end end context "when the number of requests is at the throttle limit" do - it "does not throttle" do + it "does not throttle for a regular user" do + limit.times do + post "/account/password", params: params + follow_redirect! + end + last_response = response + expect(last_response.status).to eq(200) + end + + it "does not throttle for an admin user" do + limit.times do + post "/admin/password", params: admin_params + follow_redirect! + end + last_response = response + expect(last_response.status).to eq(200) + end + + it "does not throttle if both endpoints are hit" do limit.times do post "/account/password", params: params follow_redirect! + post "/admin/password", params: admin_params + follow_redirect! end last_response = response expect(last_response.status).to eq(200) @@ -51,7 +83,7 @@ describe "Rack::Attack" do end context "when the number of requests is over the throttle limit" do - it "throttles" do + it "throttles for a regular user" do over_limit.times do post "/account/password", params: params follow_redirect! @@ -59,6 +91,15 @@ describe "Rack::Attack" do last_response = response expect(last_response.status).to eq(429) end + + it "throttles for an admin user" do + over_limit.times do + post "/admin/password", params: admin_params + follow_redirect! + end + last_response = response + expect(last_response.status).to eq(429) + end end end end