discourse/spec/integration/rate_limiting_spec.rb
Sam Saffron 1f47ed1ea3 PERF: message_bus will be deferred by server when flooded
The message_bus performs a fair amount of work prior to hijacking requests
this change ensures that if there is a situation where the server is flooded
message_bus will inform client to back off for 30 seconds + random(120 secs)

This back-off is ultra cheap and happens very early in the middleware.

It corrects a situation where a flood to message bus could cause the app
to become unresponsive

MessageBus update is here to ensure message_bus gem properly respects
Retry-After header and status 429.

Under normal state this code should never trigger, to disable raise the
value of DISCOURSE_REJECT_MESSAGE_BUS_QUEUE_SECONDS, default is to tell
message bus to go away if we are queueing for 100ms or longer
2019-08-09 17:48:01 +10:00

83 lines
2.0 KiB
Ruby

# encoding: UTF-8
# frozen_string_literal: true
require 'rails_helper'
describe 'rate limiter integration' do
before do
RateLimiter.enable
RateLimiter.clear_all!
end
after do
RateLimiter.disable
end
it "will rate limit message bus requests once queueing" do
freeze_time
global_setting :reject_message_bus_queue_seconds, 0.1
post "/message-bus/#{SecureRandom.hex}/poll", headers: {
"HTTP_X_REQUEST_START" => "t=#{Time.now.to_f - 0.2}"
}
expect(response.status).to eq(429)
expect(response.headers['Retry-After']).to be > 29
end
it "will not rate limit when all is good" do
freeze_time
global_setting :reject_message_bus_queue_seconds, 0.1
post "/message-bus/#{SecureRandom.hex}/poll", headers: {
"HTTP_X_REQUEST_START" => "t=#{Time.now.to_f - 0.05}"
}
expect(response.status).to eq(200)
end
it "will clear the token cookie if invalid" do
name = Auth::DefaultCurrentUserProvider::TOKEN_COOKIE
# we try 11 times because the rate limit is 10
11.times {
cookies[name] = SecureRandom.hex
get '/categories.json'
expect(response.cookies.has_key?(name)).to eq(true)
expect(response.cookies[name]).to be_nil
}
end
it 'can cleanly limit requests and sets a Retry-After header' do
freeze_time
#request.set_header("action_dispatch.show_exceptions", true)
admin = Fabricate(:admin)
api_key = Fabricate(:api_key, key: SecureRandom.hex, user: admin)
global_setting :max_admin_api_reqs_per_key_per_minute, 1
get '/admin/api/keys.json', params: {
api_key: api_key.key,
api_username: admin.username
}
expect(response.status).to eq(200)
get '/admin/api/keys.json', params: {
api_key: api_key.key,
api_username: admin.username
}
expect(response.status).to eq(429)
data = JSON.parse(response.body)
expect(response.headers['Retry-After']).to eq(60)
expect(data["extras"]["wait_seconds"]).to eq(60)
end
end