server/tests/api/server/reverse-proxy.ts

   1 /* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */
   2
   3 import { expect } from 'chai'
   4 import { wait } from '@shared/core-utils'
   5 import { HttpStatusCode } from '@shared/models'
   6 import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers } from '@shared/server-commands'
   7
   8 describe('Test application behind a reverse proxy', function () {
   9   let server: PeerTubeServer
  10   let userAccessToken: string
  11   let videoId: string
  12
  13   before(async function () {
  14     this.timeout(60000)
  15
  16     const config = {
  17       rates_limit: {
  18         api: {
  19           max: 50,
  20           window: 5000
  21         },
  22         signup: {
  23           max: 3,
  24           window: 5000
  25         },
  26         login: {
  27           max: 20
  28         }
  29       },
  30       signup: {
  31         limit: 20
  32       }
  33     }
  34
  35     server = await createSingleServer(1, config)
  36     await setAccessTokensToServers([ server ])
  37
  38     userAccessToken = await server.users.generateUserAndToken('user')
  39
  40     const { uuid } = await server.videos.upload()
  41     videoId = uuid
  42   })
  43
  44   it('Should view a video only once with the same IP by default', async function () {
  45     this.timeout(40000)
  46
  47     await server.views.simulateView({ id: videoId })
  48     await server.views.simulateView({ id: videoId })
  49
  50     // Wait the repeatable job
  51     await wait(8000)
  52
  53     const video = await server.videos.get({ id: videoId })
  54     expect(video.views).to.equal(1)
  55   })
  56
  57   it('Should view a video 2 times with the X-Forwarded-For header set', async function () {
  58     this.timeout(20000)
  59
  60     await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.1,127.0.0.1' })
  61     await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.2,127.0.0.1' })
  62
  63     // Wait the repeatable job
  64     await wait(8000)
  65
  66     const video = await server.videos.get({ id: videoId })
  67     expect(video.views).to.equal(3)
  68   })
  69
  70   it('Should view a video only once with the same client IP in the X-Forwarded-For header', async function () {
  71     this.timeout(20000)
  72
  73     await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.4,0.0.0.3,::ffff:127.0.0.1' })
  74     await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.5,0.0.0.3,127.0.0.1' })
  75
  76     // Wait the repeatable job
  77     await wait(8000)
  78
  79     const video = await server.videos.get({ id: videoId })
  80     expect(video.views).to.equal(4)
  81   })
  82
  83   it('Should view a video two times with a different client IP in the X-Forwarded-For header', async function () {
  84     this.timeout(20000)
  85
  86     await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.8,0.0.0.6,127.0.0.1' })
  87     await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.8,0.0.0.7,127.0.0.1' })
  88
  89     // Wait the repeatable job
  90     await wait(8000)
  91
  92     const video = await server.videos.get({ id: videoId })
  93     expect(video.views).to.equal(6)
  94   })
  95
  96   it('Should rate limit logins', async function () {
  97     const user = { username: 'root', password: 'fail' }
  98
  99     for (let i = 0; i < 18; i++) {
 100       await server.login.login({ user, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
 101     }
 102
 103     await server.login.login({ user, expectedStatus: HttpStatusCode.TOO_MANY_REQUESTS_429 })
 104   })
 105
 106   it('Should rate limit signup', async function () {
 107     for (let i = 0; i < 10; i++) {
 108       try {
 109         await server.users.register({ username: 'test' + i })
 110       } catch {
 111         // empty
 112       }
 113     }
 114
 115     await server.users.register({ username: 'test42', expectedStatus: HttpStatusCode.TOO_MANY_REQUESTS_429 })
 116   })
 117
 118   it('Should not rate limit failed signup', async function () {
 119     this.timeout(30000)
 120
 121     await wait(7000)
 122
 123     for (let i = 0; i < 3; i++) {
 124       await server.users.register({ username: 'test' + i, expectedStatus: HttpStatusCode.CONFLICT_409 })
 125     }
 126
 127     await server.users.register({ username: 'test43', expectedStatus: HttpStatusCode.NO_CONTENT_204 })
 128
 129   })
 130
 131   it('Should rate limit API calls', async function () {
 132     this.timeout(30000)
 133
 134     await wait(7000)
 135
 136     for (let i = 0; i < 100; i++) {
 137       try {
 138         await server.videos.get({ id: videoId })
 139       } catch {
 140         // don't care if it fails
 141       }
 142     }
 143
 144     await server.videos.get({ id: videoId, expectedStatus: HttpStatusCode.TOO_MANY_REQUESTS_429 })
 145   })
 146
 147   it('Should rate limit API calls with a user but not with an admin', async function () {
 148     await server.videos.get({ id: videoId, token: userAccessToken, expectedStatus: HttpStatusCode.TOO_MANY_REQUESTS_429 })
 149
 150     await server.videos.get({ id: videoId, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
 151   })
 152
 153   after(async function () {
 154     await cleanupTests([ server ])
 155   })
 156 })