From c1340a6ac35f924161e6ec2a1d728e20c89e55c8 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Thu, 4 Jul 2019 16:42:40 +0200 Subject: Add rate limit to registration and API endpoints --- server/tests/api/server/reverse-proxy.ts | 57 ++++++++++++++++++++++++++++++-- 1 file changed, 55 insertions(+), 2 deletions(-) (limited to 'server/tests') diff --git a/server/tests/api/server/reverse-proxy.ts b/server/tests/api/server/reverse-proxy.ts index 987538237..00d9fca23 100644 --- a/server/tests/api/server/reverse-proxy.ts +++ b/server/tests/api/server/reverse-proxy.ts @@ -2,7 +2,7 @@ import 'mocha' import * as chai from 'chai' -import { cleanupTests, getVideo, uploadVideo, userLogin, viewVideo, wait } from '../../../../shared/extra-utils' +import { cleanupTests, getVideo, registerUser, uploadVideo, userLogin, viewVideo, wait } from '../../../../shared/extra-utils' import { flushAndRunServer, setAccessTokensToServers } from '../../../../shared/extra-utils/index' const expect = chai.expect @@ -13,7 +13,27 @@ describe('Test application behind a reverse proxy', function () { before(async function () { this.timeout(30000) - server = await flushAndRunServer(1) + + const config = { + rates_limit: { + api: { + max: 50, + window: 5000 + }, + signup: { + max: 3, + window: 5000 + }, + login: { + max: 20 + } + }, + signup: { + limit: 20 + } + } + + server = await flushAndRunServer(1, config) await setAccessTokensToServers([ server ]) const { body } = await uploadVideo(server.url, server.accessToken, {}) @@ -82,6 +102,39 @@ describe('Test application behind a reverse proxy', function () { await userLogin(server, user, 429) }) + it('Should rate limit signup', async function () { + for (let i = 0; i < 3; i++) { + await registerUser(server.url, 'test' + i, 'password') + } + + await registerUser(server.url, 'test42', 'password', 429) + }) + + it('Should not rate limit failed signup', async function () { + this.timeout(30000) + + await wait(7000) + + for (let i = 0; i < 3; i++) { + await registerUser(server.url, 'test' + i, 'password', 409) + } + + await registerUser(server.url, 'test43', 'password', 204) + + }) + + it('Should rate limit API calls', async function () { + this.timeout(30000) + + await wait(7000) + + for (let i = 0; i < 50; i++) { + await getVideo(server.url, videoId) + } + + await getVideo(server.url, videoId, 429) + }) + after(async function () { await cleanupTests([ server ]) }) -- cgit v1.2.3