From c1340a6ac35f924161e6ec2a1d728e20c89e55c8 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Thu, 4 Jul 2019 16:42:40 +0200
Subject: Add rate limit to registration and API endpoints

---
 server/tests/api/server/reverse-proxy.ts | 57 ++++++++++++++++++++++++++++++--
 1 file changed, 55 insertions(+), 2 deletions(-)

(limited to 'server/tests/api')

diff --git a/server/tests/api/server/reverse-proxy.ts b/server/tests/api/server/reverse-proxy.ts
index 987538237..00d9fca23 100644
--- a/server/tests/api/server/reverse-proxy.ts
+++ b/server/tests/api/server/reverse-proxy.ts
@@ -2,7 +2,7 @@
 
 import 'mocha'
 import * as chai from 'chai'
-import { cleanupTests, getVideo, uploadVideo, userLogin, viewVideo, wait } from '../../../../shared/extra-utils'
+import { cleanupTests, getVideo, registerUser, uploadVideo, userLogin, viewVideo, wait } from '../../../../shared/extra-utils'
 import { flushAndRunServer, setAccessTokensToServers } from '../../../../shared/extra-utils/index'
 
 const expect = chai.expect
@@ -13,7 +13,27 @@ describe('Test application behind a reverse proxy', function () {
 
   before(async function () {
     this.timeout(30000)
-    server = await flushAndRunServer(1)
+
+    const config = {
+      rates_limit: {
+        api: {
+          max: 50,
+          window: 5000
+        },
+        signup: {
+          max: 3,
+          window: 5000
+        },
+        login: {
+          max: 20
+        }
+      },
+      signup: {
+        limit: 20
+      }
+    }
+
+    server = await flushAndRunServer(1, config)
     await setAccessTokensToServers([ server ])
 
     const { body } = await uploadVideo(server.url, server.accessToken, {})
@@ -82,6 +102,39 @@ describe('Test application behind a reverse proxy', function () {
     await userLogin(server, user, 429)
   })
 
+  it('Should rate limit signup', async function () {
+    for (let i = 0; i < 3; i++) {
+      await registerUser(server.url, 'test' + i, 'password')
+    }
+
+    await registerUser(server.url, 'test42', 'password', 429)
+  })
+
+  it('Should not rate limit failed signup', async function () {
+    this.timeout(30000)
+
+    await wait(7000)
+
+    for (let i = 0; i < 3; i++) {
+      await registerUser(server.url, 'test' + i, 'password', 409)
+    }
+
+    await registerUser(server.url, 'test43', 'password', 204)
+
+  })
+
+  it('Should rate limit API calls', async function () {
+    this.timeout(30000)
+
+    await wait(7000)
+
+    for (let i = 0; i < 50; i++) {
+      await getVideo(server.url, videoId)
+    }
+
+    await getVideo(server.url, videoId, 429)
+  })
+
   after(async function () {
     await cleanupTests([ server ])
   })
-- 
cgit v1.2.3