... ... @@ -20,6 +20,7 @@ describe 'Rack Attack global throttles' do
}
end
let ( :request_method ) { 'GET' }
let ( :requests_per_period ) { 1 }
let ( :period_in_seconds ) { 10000 }
let ( :period ) { period_in_seconds . seconds }
... ... @@ -141,15 +142,15 @@ describe 'Rack Attack global throttles' do
let ( :api_partial_url ) { '/todos' }
context 'with the token in the query string' do
let ( :ge t_args ) { [ api ( api_partial_url , personal_access_token: token )] }
let ( :other_user_ge t_args ) { [ api ( api_partial_url , personal_access_token: other_user_token )] }
let ( :reques t_args ) { [ api ( api_partial_url , personal_access_token: token )] }
let ( :other_user_reques t_args ) { [ api ( api_partial_url , personal_access_token: other_user_token )] }
it_behaves_like 'rate-limited token-authenticated requests'
end
context 'with the token in the headers' do
let ( :ge t_args ) { api_get_args_with_token_headers ( api_partial_url , personal_access_token_headers ( token )) }
let ( :other_user_ge t_args ) { api_get_args_with_token_headers ( api_partial_url , personal_access_token_headers ( other_user_token )) }
let ( :reques t_args ) { api_get_args_with_token_headers ( api_partial_url , personal_access_token_headers ( token )) }
let ( :other_user_reques t_args ) { api_get_args_with_token_headers ( api_partial_url , personal_access_token_headers ( other_user_token )) }
it_behaves_like 'rate-limited token-authenticated requests'
end
... ... @@ -168,15 +169,15 @@ describe 'Rack Attack global throttles' do
let ( :api_partial_url ) { '/todos' }
context 'with the token in the query string' do
let ( :ge t_args ) { [ api ( api_partial_url , oauth_access_token: token )] }
let ( :other_user_ge t_args ) { [ api ( api_partial_url , oauth_access_token: other_user_token )] }
let ( :reques t_args ) { [ api ( api_partial_url , oauth_access_token: token )] }
let ( :other_user_reques t_args ) { [ api ( api_partial_url , oauth_access_token: other_user_token )] }
it_behaves_like 'rate-limited token-authenticated requests'
end
context 'with the token in the headers' do
let ( :ge t_args ) { api_get_args_with_token_headers ( api_partial_url , oauth_token_headers ( token )) }
let ( :other_user_ge t_args ) { api_get_args_with_token_headers ( api_partial_url , oauth_token_headers ( other_user_token )) }
let ( :reques t_args ) { api_get_args_with_token_headers ( api_partial_url , oauth_token_headers ( token )) }
let ( :other_user_reques t_args ) { api_get_args_with_token_headers ( api_partial_url , oauth_token_headers ( other_user_token )) }
it_behaves_like 'rate-limited token-authenticated requests'
end
... ... @@ -188,8 +189,8 @@ describe 'Rack Attack global throttles' do
let ( :throttle_setting_prefix ) { 'throttle_authenticated_web' }
context 'with the token in the query string' do
let ( :ge t_args ) { [ rss_url ( user ), params: nil ] }
let ( :other_user_ge t_args ) { [ rss_url ( other_user ), params: nil ] }
let ( :reques t_args ) { [ rss_url ( user ), params: nil ] }
let ( :other_user_reques t_args ) { [ rss_url ( other_user ), params: nil ] }
it_behaves_like 'rate-limited token-authenticated requests'
end
... ... @@ -204,10 +205,13 @@ describe 'Rack Attack global throttles' do
end
describe 'protected paths' do
let ( :request_method ) { 'POST' }
context 'unauthenticated requests' do
let ( :protected_path_that_does_not_require_authentication ) do
'/users/confirmatio n'
'/users/sign_i n'
end
let ( :post_params ) { { user: { login: 'username' , password: 'password' } } }
before do
settings_to_set [ :throttle_protected_paths_requests_per_period ] = requests_per_period # 1
... ... @@ -222,7 +226,7 @@ describe 'Rack Attack global throttles' do
it 'allows requests over the rate limit' do
( 1 + requests_per_period ). times do
ge t protected_path_that_does_not_require_authentication
pos t protected_path_that_does_not_require_authentication , params: post_params
expect ( response ). to have_http_status 200
end
end
... ... @@ -236,11 +240,11 @@ describe 'Rack Attack global throttles' do
it 'rejects requests over the rate limit' do
requests_per_period . times do
ge t protected_path_that_does_not_require_authentication
pos t protected_path_that_does_not_require_authentication , params: post_params
expect ( response ). to have_http_status 200
end
expect_rejection { ge t protected_path_that_does_not_require_authentication }
expect_rejection { pos t protected_path_that_does_not_require_authentication , params: post_params }
end
context 'when Omnibus throttle is present' do
... ... @@ -251,7 +255,7 @@ describe 'Rack Attack global throttles' do
it 'allows requests over the rate limit' do
( 1 + requests_per_period ). times do
ge t protected_path_that_does_not_require_authentication
pos t protected_path_that_does_not_require_authentication , params: post_params
expect ( response ). to have_http_status 200
end
end
... ... @@ -265,11 +269,11 @@ describe 'Rack Attack global throttles' do
let ( :other_user ) { create ( :user ) }
let ( :other_user_token ) { create ( :personal_access_token , user: other_user ) }
let ( :throttle_setting_prefix ) { 'throttle_protected_paths' }
let ( :api_partial_url ) { '/users' }
let ( :api_partial_url ) { '/user/email s' }
let ( :protected_paths ) do
[
'/api/v4/users'
'/api/v4/user/email s'
]
end
... ... @@ -279,22 +283,22 @@ describe 'Rack Attack global throttles' do
end
context 'with the token in the query string' do
let ( :ge t_args ) { [ api ( api_partial_url , personal_access_token: token )] }
let ( :other_user_ge t_args ) { [ api ( api_partial_url , personal_access_token: other_user_token )] }
let ( :reques t_args ) { [ api ( api_partial_url , personal_access_token: token )] }
let ( :other_user_reques t_args ) { [ api ( api_partial_url , personal_access_token: other_user_token )] }
it_behaves_like 'rate-limited token-authenticated requests'
end
context 'with the token in the headers' do
let ( :ge t_args ) { api_get_args_with_token_headers ( api_partial_url , personal_access_token_headers ( token )) }
let ( :other_user_ge t_args ) { api_get_args_with_token_headers ( api_partial_url , personal_access_token_headers ( other_user_token )) }
let ( :reques t_args ) { api_get_args_with_token_headers ( api_partial_url , personal_access_token_headers ( token )) }
let ( :other_user_reques t_args ) { api_get_args_with_token_headers ( api_partial_url , personal_access_token_headers ( other_user_token )) }
it_behaves_like 'rate-limited token-authenticated requests'
end
context 'when Omnibus throttle is present' do
let ( :ge t_args ) { [ api ( api_partial_url , personal_access_token: token )] }
let ( :other_user_ge t_args ) { [ api ( api_partial_url , personal_access_token: other_user_token )] }
let ( :reques t_args ) { [ api ( api_partial_url , personal_access_token: token )] }
let ( :other_user_reques t_args ) { [ api ( api_partial_url , personal_access_token: other_user_token )] }
before do
settings_to_set [ :" #{ throttle_setting_prefix } _requests_per_period" ] = requests_per_period
... ... @@ -308,8 +312,8 @@ describe 'Rack Attack global throttles' do
it 'allows requests over the rate limit' do
( 1 + requests_per_period ). times do
get ( * ge t_args)
expect ( response ). to have_http_status 200
post ( * reques t_args)
expect ( response ). not_ to have_http_status 429
end
end
end
... ... @@ -318,7 +322,7 @@ describe 'Rack Attack global throttles' do
describe 'web requests authenticated with regular login' do
let ( :throttle_setting_prefix ) { 'throttle_protected_paths' }
let ( :user ) { create ( :user ) }
let ( :url_that_requires_authentication ) { '/dashboard/snippets ' }
let ( :url_that_requires_authentication ) { '/users/confirmation ' }
let ( :protected_paths ) do
[
... ... @@ -348,8 +352,8 @@ describe 'Rack Attack global throttles' do
it 'allows requests over the rate limit' do
( 1 + requests_per_period ). times do
ge t url_that_requires_authentication
expect ( response ). to have_http_status 200
pos t url_that_requires_authentication
expect ( response ). not_ to have_http_status 429
end
end
end
... ...
... ...