|
|
@ -12,8 +12,11 @@ describe "Rack::Attack" do |
|
|
|
let(:devise_notify_mailer) { DeviseNotifyMailer.new } |
|
|
|
let(:devise_notify_mailer) { DeviseNotifyMailer.new } |
|
|
|
|
|
|
|
|
|
|
|
let(:params) { { user: { email: } } } |
|
|
|
let(:params) { { user: { email: } } } |
|
|
|
|
|
|
|
let(:admin_params) { { admin_user: { email: admin_email } } } |
|
|
|
let(:user) { FactoryBot.create(:user) } |
|
|
|
let(:user) { FactoryBot.create(:user) } |
|
|
|
|
|
|
|
let(:admin_user) { FactoryBot.create(:admin_user) } |
|
|
|
let(:email) { user.email } |
|
|
|
let(:email) { user.email } |
|
|
|
|
|
|
|
let(:admin_email) { admin_user.email } |
|
|
|
|
|
|
|
|
|
|
|
before do |
|
|
|
before do |
|
|
|
Rack::Attack.enabled = true |
|
|
|
Rack::Attack.enabled = true |
|
|
@ -29,7 +32,7 @@ describe "Rack::Attack" do |
|
|
|
|
|
|
|
|
|
|
|
context "when a password reset is requested" do |
|
|
|
context "when a password reset is requested" do |
|
|
|
context "when the number of requests is under the throttle limit" do |
|
|
|
context "when the number of requests is under the throttle limit" do |
|
|
|
it "does not throttle" do |
|
|
|
it "does not throttle for a regular user" do |
|
|
|
under_limit.times do |
|
|
|
under_limit.times do |
|
|
|
post "/account/password", params: params |
|
|
|
post "/account/password", params: params |
|
|
|
follow_redirect! |
|
|
|
follow_redirect! |
|
|
@ -37,13 +40,42 @@ describe "Rack::Attack" do |
|
|
|
last_response = response |
|
|
|
last_response = response |
|
|
|
expect(last_response.status).to eq(200) |
|
|
|
expect(last_response.status).to eq(200) |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "does not throttle for an admin user" do |
|
|
|
|
|
|
|
under_limit.times do |
|
|
|
|
|
|
|
post "/admin/password", params: admin_params |
|
|
|
|
|
|
|
follow_redirect! |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
last_response = response |
|
|
|
|
|
|
|
expect(last_response.status).to eq(200) |
|
|
|
|
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
context "when the number of requests is at the throttle limit" do |
|
|
|
context "when the number of requests is at the throttle limit" do |
|
|
|
it "does not throttle" do |
|
|
|
it "does not throttle for a regular user" do |
|
|
|
|
|
|
|
limit.times do |
|
|
|
|
|
|
|
post "/account/password", params: params |
|
|
|
|
|
|
|
follow_redirect! |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
last_response = response |
|
|
|
|
|
|
|
expect(last_response.status).to eq(200) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "does not throttle for an admin user" do |
|
|
|
|
|
|
|
limit.times do |
|
|
|
|
|
|
|
post "/admin/password", params: admin_params |
|
|
|
|
|
|
|
follow_redirect! |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
last_response = response |
|
|
|
|
|
|
|
expect(last_response.status).to eq(200) |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "does not throttle if both endpoints are hit" do |
|
|
|
limit.times do |
|
|
|
limit.times do |
|
|
|
post "/account/password", params: params |
|
|
|
post "/account/password", params: params |
|
|
|
follow_redirect! |
|
|
|
follow_redirect! |
|
|
|
|
|
|
|
post "/admin/password", params: admin_params |
|
|
|
|
|
|
|
follow_redirect! |
|
|
|
end |
|
|
|
end |
|
|
|
last_response = response |
|
|
|
last_response = response |
|
|
|
expect(last_response.status).to eq(200) |
|
|
|
expect(last_response.status).to eq(200) |
|
|
@ -51,7 +83,7 @@ describe "Rack::Attack" do |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
context "when the number of requests is over the throttle limit" do |
|
|
|
context "when the number of requests is over the throttle limit" do |
|
|
|
it "throttles" do |
|
|
|
it "throttles for a regular user" do |
|
|
|
over_limit.times do |
|
|
|
over_limit.times do |
|
|
|
post "/account/password", params: params |
|
|
|
post "/account/password", params: params |
|
|
|
follow_redirect! |
|
|
|
follow_redirect! |
|
|
@ -59,6 +91,15 @@ describe "Rack::Attack" do |
|
|
|
last_response = response |
|
|
|
last_response = response |
|
|
|
expect(last_response.status).to eq(429) |
|
|
|
expect(last_response.status).to eq(429) |
|
|
|
end |
|
|
|
end |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
it "throttles for an admin user" do |
|
|
|
|
|
|
|
over_limit.times do |
|
|
|
|
|
|
|
post "/admin/password", params: admin_params |
|
|
|
|
|
|
|
follow_redirect! |
|
|
|
|
|
|
|
end |
|
|
|
|
|
|
|
last_response = response |
|
|
|
|
|
|
|
expect(last_response.status).to eq(429) |
|
|
|
|
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|
end |
|
|
|