aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/tests/api
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2018-03-29 10:58:24 +0200
committerChocobozzz <me@florianbigard.com>2018-03-29 11:03:30 +0200
commit490b595a01c5824ff63ffb87f0efdfca95f4bf3b (patch)
tree3ad716fbb97a8b4ee946ad907202b82934a33d7c /server/tests/api
parent23f4c3d412974fa5fda52589d1192e098e260f1a (diff)
downloadPeerTube-490b595a01c5824ff63ffb87f0efdfca95f4bf3b.tar.gz
PeerTube-490b595a01c5824ff63ffb87f0efdfca95f4bf3b.tar.zst
PeerTube-490b595a01c5824ff63ffb87f0efdfca95f4bf3b.zip
Prevent brute force login attack
Diffstat (limited to 'server/tests/api')
-rw-r--r--server/tests/api/server/reverse-proxy.ts82
1 files changed, 82 insertions, 0 deletions
diff --git a/server/tests/api/server/reverse-proxy.ts b/server/tests/api/server/reverse-proxy.ts
new file mode 100644
index 000000000..aa4b3ae81
--- /dev/null
+++ b/server/tests/api/server/reverse-proxy.ts
@@ -0,0 +1,82 @@
1/* tslint:disable:no-unused-expression */
2
3import 'mocha'
4import * as chai from 'chai'
5import { About } from '../../../../shared/models/server/about.model'
6import { CustomConfig } from '../../../../shared/models/server/custom-config.model'
7import { deleteCustomConfig, getAbout, getVideo, killallServers, login, reRunServer, uploadVideo, userLogin, viewVideo } from '../../utils'
8const expect = chai.expect
9
10import {
11 getConfig,
12 flushTests,
13 runServer,
14 registerUser, getCustomConfig, setAccessTokensToServers, updateCustomConfig
15} from '../../utils/index'
16
17describe('Test application behind a reverse proxy', function () {
18 let server = null
19 let videoId
20
21 before(async function () {
22 this.timeout(30000)
23
24 await flushTests()
25 server = await runServer(1)
26 await setAccessTokensToServers([ server ])
27
28 const { body } = await uploadVideo(server.url, server.accessToken, {})
29 videoId = body.video.uuid
30 })
31
32 it('Should view a video only once with the same IP by default', async function () {
33 await viewVideo(server.url, videoId)
34 await viewVideo(server.url, videoId)
35
36 const { body } = await getVideo(server.url, videoId)
37 expect(body.views).to.equal(1)
38 })
39
40 it('Should view a video 2 times with the X-Forwarded-For header set', async function () {
41 await viewVideo(server.url, videoId, 204, '0.0.0.1,127.0.0.1')
42 await viewVideo(server.url, videoId, 204, '0.0.0.2,127.0.0.1')
43
44 const { body } = await getVideo(server.url, videoId)
45 expect(body.views).to.equal(3)
46 })
47
48 it('Should view a video only once with the same client IP in the X-Forwarded-For header', async function () {
49 await viewVideo(server.url, videoId, 204, '0.0.0.4,0.0.0.3,::ffff:127.0.0.1')
50 await viewVideo(server.url, videoId, 204, '0.0.0.5,0.0.0.3,127.0.0.1')
51
52 const { body } = await getVideo(server.url, videoId)
53 expect(body.views).to.equal(4)
54 })
55
56 it('Should view a video two times with a different client IP in the X-Forwarded-For header', async function () {
57 await viewVideo(server.url, videoId, 204, '0.0.0.8,0.0.0.6,127.0.0.1')
58 await viewVideo(server.url, videoId, 204, '0.0.0.8,0.0.0.7,127.0.0.1')
59
60 const { body } = await getVideo(server.url, videoId)
61 expect(body.views).to.equal(6)
62 })
63
64 it('Should rate limit logins', async function () {
65 const user = { username: 'root', password: 'fail' }
66
67 for (let i = 0; i < 9; i++) {
68 await userLogin(server, user, 400)
69 }
70
71 await userLogin(server, user, 429)
72 })
73
74 after(async function () {
75 process.kill(-server.app.pid)
76
77 // Keep the logs if the test failed
78 if (this['ok']) {
79 await flushTests()
80 }
81 })
82})