-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Reduce the number of api calls when testing rate limiting
Reduce the number of actual api calls to 2 per test when testing rate limiting.
- Loading branch information
Showing
2 changed files
with
17 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,21 +1,21 @@ | ||
| class Rack::Attack | ||
| # Throttle login attempts by IP address | ||
| throttle('logins/ip', limit: CheckConfig.get('login_rate_limit', 10, :integer), period: 60.seconds) do |req| | ||
| throttle('logins/ip', limit: proc { CheckConfig.get('login_rate_limit', 10, :integer) }, period: 60.seconds) do |req| | ||
| if req.path == '/api/users/sign_in' && req.post? | ||
| req.ip | ||
| end | ||
| end | ||
|
|
||
| # Throttle login attempts by email address | ||
| throttle('logins/email', limit: CheckConfig.get('login_rate_limit', 10, :integer), period: 60.seconds) do |req| | ||
| throttle('logins/email', limit: proc { CheckConfig.get('login_rate_limit', 10, :integer) }, period: 60.seconds) do |req| | ||
| if req.path == '/api/users/sign_in' && req.post? | ||
| # Return the email if present, nil otherwise | ||
| req.params['user']['email'].presence if req.params['user'] | ||
| end | ||
| end | ||
|
|
||
| # Throttle all graphql requests by IP address | ||
| throttle('api/graphql', limit: CheckConfig.get('api_rate_limit', 100, :integer), period: 60.seconds) do |req| | ||
| # Throttle all graphql requests by IP address | ||
| throttle('api/graphql', limit: proc { CheckConfig.get('api_rate_limit', 100, :integer) }, period: 60.seconds) do |req| | ||
| req.ip if req.path == '/api/graphql' | ||
| end | ||
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,26 +6,27 @@ class ThrottlingTest < ActionDispatch::IntegrationTest | |
| end | ||
|
|
||
| test "should throttle excessive requests to /api/graphql" do | ||
| limit = 100 | ||
| stub_configs({ 'api_rate_limit' => 2 }) do | ||
| 2.times do | ||
| post api_graphql_path | ||
| assert_response :unauthorized | ||
| end | ||
|
|
||
| limit.times do | ||
| post api_graphql_path | ||
| assert_response :unauthorized | ||
| assert_response :too_many_requests | ||
| end | ||
|
|
||
| get api_graphql_path | ||
| assert_response :too_many_requests | ||
| end | ||
|
|
||
| test "should throttle excessive requests to /api/users/sign_in" do | ||
| limit = 10 | ||
| user_params = { api_user: { email: '[email protected]', password: 'password' } } | ||
| stub_configs({ 'login_rate_limit' => 2 }) do | ||
| user_params = { api_user: { email: '[email protected]', password: 'password' } } | ||
|
|
||
| 2.times do | ||
| post api_user_session_path, params: user_params, as: :json | ||
| end | ||
|
|
||
| limit.times do | ||
| post api_user_session_path, params: user_params, as: :json | ||
| assert_response :too_many_requests | ||
| end | ||
|
|
||
| post api_user_session_path, params: user_params, as: :json | ||
| assert_response :too_many_requests | ||
| end | ||
| end | ||