mirror of
https://github.com/discourse/discourse.git
synced 2024-12-15 09:33:44 +08:00
3a73f29928
To eliminate a DDOS attack vector, we're taking the following measures: The endpoint will be rate-limited to 3 requests every 60 seconds (per user). A 24 hours max-age cache header is sent with the response. The route will be hijacked to generate the certificate in the background.
52 lines
1.3 KiB
Ruby
52 lines
1.3 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require 'rails_helper'
|
|
|
|
describe "Discobot Certificate" do
|
|
let(:user) { Fabricate(:user, name: 'Jeff Atwood') }
|
|
|
|
let(:params) {
|
|
{
|
|
date: Time.zone.now.strftime("%b %d %Y"),
|
|
user_id: user.id
|
|
}
|
|
}
|
|
|
|
describe 'when viewing the certificate' do
|
|
describe 'when no logged in' do
|
|
it 'should return the right response' do
|
|
get '/discobot/certificate.svg', params: params
|
|
|
|
expect(response.status).to eq(404)
|
|
end
|
|
end
|
|
|
|
describe 'when logged in' do
|
|
before do
|
|
sign_in(user)
|
|
end
|
|
|
|
it 'should return the right text' do
|
|
stub_request(:get, /letter_avatar_proxy/).to_return(status: 200, body: 'http://test.localhost/cdn/avatar.png')
|
|
stub_request(:get, /avatar.png/).to_return(status: 200)
|
|
|
|
stub_request(:get, SiteSetting.site_logo_small_url)
|
|
.to_return(status: 200)
|
|
|
|
get '/discobot/certificate.svg', params: params
|
|
|
|
expect(response.status).to eq(200)
|
|
end
|
|
|
|
describe 'when params are missing' do
|
|
it "should raise the right errors" do
|
|
params.each do |key, _|
|
|
get '/discobot/certificate.svg', params: params.except(key)
|
|
expect(response.status).to eq(400)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|