mirror of
https://github.com/discourse/discourse.git
synced 2024-12-02 09:53:45 +08:00
d04ba4b3b2
* DEPRECATION: Remove support for api creds in query params
This commit removes support for api credentials in query params except
for a few whitelisted routes like rss/json feeds and the handle_mail
route.
Several tests were written to valid these changes, but the bulk of the
spec changes are just switching them over to use header based auth so
that they will pass without changing what they were actually testing.
Original commit that notified admins this change was coming was created
over 3 months ago: 2db2003187
* fix tests
* Also allow iCalendar feeds
Co-authored-by: Rafael dos Santos Silva <xfalcox@gmail.com>
83 lines
2.0 KiB
Ruby
83 lines
2.0 KiB
Ruby
# encoding: UTF-8
|
|
# frozen_string_literal: true
|
|
|
|
require 'rails_helper'
|
|
|
|
describe 'rate limiter integration' do
|
|
|
|
before do
|
|
RateLimiter.enable
|
|
RateLimiter.clear_all!
|
|
end
|
|
|
|
after do
|
|
RateLimiter.disable
|
|
end
|
|
|
|
it "will rate limit message bus requests once queueing" do
|
|
freeze_time
|
|
|
|
global_setting :reject_message_bus_queue_seconds, 0.1
|
|
|
|
post "/message-bus/#{SecureRandom.hex}/poll", headers: {
|
|
"HTTP_X_REQUEST_START" => "t=#{Time.now.to_f - 0.2}"
|
|
}
|
|
|
|
expect(response.status).to eq(429)
|
|
expect(response.headers['Retry-After']).to be > 29
|
|
end
|
|
|
|
it "will not rate limit when all is good" do
|
|
freeze_time
|
|
|
|
global_setting :reject_message_bus_queue_seconds, 0.1
|
|
|
|
post "/message-bus/#{SecureRandom.hex}/poll", headers: {
|
|
"HTTP_X_REQUEST_START" => "t=#{Time.now.to_f - 0.05}"
|
|
}
|
|
|
|
expect(response.status).to eq(200)
|
|
end
|
|
|
|
it "will clear the token cookie if invalid" do
|
|
name = Auth::DefaultCurrentUserProvider::TOKEN_COOKIE
|
|
|
|
# we try 11 times because the rate limit is 10
|
|
11.times {
|
|
cookies[name] = SecureRandom.hex
|
|
get '/categories.json'
|
|
expect(response.cookies.has_key?(name)).to eq(true)
|
|
expect(response.cookies[name]).to be_nil
|
|
}
|
|
end
|
|
|
|
it 'can cleanly limit requests and sets a Retry-After header' do
|
|
freeze_time
|
|
#request.set_header("action_dispatch.show_exceptions", true)
|
|
|
|
admin = Fabricate(:admin)
|
|
api_key = Fabricate(:api_key, user: admin)
|
|
|
|
global_setting :max_admin_api_reqs_per_key_per_minute, 1
|
|
|
|
get '/admin/api/keys.json', headers: {
|
|
HTTP_API_KEY: api_key.key,
|
|
HTTP_API_USERNAME: admin.username
|
|
}
|
|
|
|
expect(response.status).to eq(200)
|
|
|
|
get '/admin/api/keys.json', headers: {
|
|
HTTP_API_KEY: api_key.key,
|
|
HTTP_API_USERNAME: admin.username
|
|
}
|
|
|
|
expect(response.status).to eq(429)
|
|
|
|
data = JSON.parse(response.body)
|
|
|
|
expect(response.headers['Retry-After']).to eq(60)
|
|
expect(data["extras"]["wait_seconds"]).to eq(60)
|
|
end
|
|
end
|