discourse/spec/multisite/request_tracker_spec.rb

# frozen_string_literal: true

RSpec.describe "RequestTracker in multisite", type: :multisite do
  before do
    global_setting :skip_per_ip_rate_limit_trust_level, 2

    RateLimiter.enable
    RateLimiter.clear_all_global!
  end

  use_redis_snapshotting

  def call(env, &block)
    Middleware::RequestTracker.new(block).call(env)
  end

  def create_env(opts)
    create_request_env.merge(opts)
  end

  shared_examples "ip rate limiters behavior" do |error_code, app_callback|
    it "applies rate limits on an IP address across all sites" do
      called = { default: 0, second: 0 }
      test_multisite_connection("default") do
        env = create_env("REMOTE_ADDR" => "123.10.71.4")
        status, =
          call(env) do
            called[:default] += 1
            app_callback&.call(env)
            [200, {}, ["OK"]]
          end
        expect(status).to eq(200)

        env = create_env("REMOTE_ADDR" => "123.10.71.4")
        status, headers =
          call(env) do
            called[:default] += 1
            app_callback&.call(env)
            [200, {}, ["OK"]]
          end
        expect(status).to eq(429)
        expect(headers["Discourse-Rate-Limit-Error-Code"]).to eq(error_code)
        expect(called[:default]).to eq(1)
      end

      test_multisite_connection("second") do
        env = create_env("REMOTE_ADDR" => "123.10.71.4")
        status, headers =
          call(env) do
            called[:second] += 1
            app_callback&.call(env)
            [200, {}, ["OK"]]
          end
        expect(status).to eq(429)
        expect(headers["Discourse-Rate-Limit-Error-Code"]).to eq(error_code)
        expect(called[:second]).to eq(0)
      end
    end
  end

  shared_examples "user id rate limiters behavior" do |error_code, app_callback|
    it "does not leak rate limits for a user id to other sites" do
      cookie = create_auth_cookie(token: SecureRandom.hex, user_id: 1, trust_level: 2)
      called = { default: 0, second: 0 }
      test_multisite_connection("default") do
        env = create_env("REMOTE_ADDR" => "123.10.71.4", "HTTP_COOKIE" => "_t=#{cookie}")
        status, =
          call(env) do
            called[:default] += 1
            app_callback&.call(env)
            [200, {}, ["OK"]]
          end
        expect(status).to eq(200)

        env = create_env("REMOTE_ADDR" => "123.10.71.4", "HTTP_COOKIE" => "_t=#{cookie}")
        status, headers, =
          call(env) do
            called[:default] += 1
            app_callback&.call(env)
            [200, {}, ["OK"]]
          end
        expect(status).to eq(429)
        expect(headers["Discourse-Rate-Limit-Error-Code"]).to eq(error_code)
        expect(called[:default]).to eq(1)
      end

      test_multisite_connection("second") do
        env = create_env("REMOTE_ADDR" => "123.10.71.4", "HTTP_COOKIE" => "_t=#{cookie}")
        status, =
          call(env) do
            called[:second] += 1
            app_callback&.call(env)
            [200, {}, ["OK"]]
          end
        expect(status).to eq(200)

        env = create_env("REMOTE_ADDR" => "123.10.71.4", "HTTP_COOKIE" => "_t=#{cookie}")
        status, headers, =
          call(env) do
            called[:second] += 1
            app_callback&.call(env)
            [200, {}, ["OK"]]
          end
        expect(status).to eq(429)
        expect(headers["Discourse-Rate-Limit-Error-Code"]).to eq(error_code)
        expect(called[:second]).to eq(1)
      end
    end
  end

  context "with a 10 seconds limiter" do
    before { global_setting :max_reqs_per_ip_per_10_seconds, 1 }

    include_examples "ip rate limiters behavior", "ip_10_secs_limit"
    include_examples "user id rate limiters behavior", "id_10_secs_limit"
  end

  context "with a 60 seconds limiter" do
    before { global_setting :max_reqs_per_ip_per_minute, 1 }

    include_examples "ip rate limiters behavior", "ip_60_secs_limit"
    include_examples "user id rate limiters behavior", "id_60_secs_limit"
  end

  context "with assets 10 seconds limiter" do
    before { global_setting :max_asset_reqs_per_ip_per_10_seconds, 1 }

    app_callback = ->(env) { env["DISCOURSE_IS_ASSET_PATH"] = true }
    include_examples "ip rate limiters behavior", "ip_assets_10_secs_limit", app_callback
    include_examples "user id rate limiters behavior", "id_assets_10_secs_limit", app_callback
  end
end