Ghost/ghost/core/test/e2e-api/admin/rate-limiting.test.js

const {
    agentProvider,
    fixtureManager,
    matchers: {
        anyContentVersion,
        anyEtag
    },
    dbUtils,
    configUtils
} = require('../../utils/e2e-framework');

describe('Sessions API', function () {
    let agent;

    before(async function () {
        agent = await agentProvider.getAdminAPIAgent();
        await fixtureManager.init();
    });

    it('Is rate limited to protect against brute forcing a users password', async function () {
        await dbUtils.truncate('brute');
        // +1 because this is a retry count, so we have one request + the retries, then blocked
        const userLoginRateLimit = configUtils.config.get('spam').user_login.freeRetries + 1;

        for (let i = 0; i < userLoginRateLimit; i++) {
            await agent
                .post('session/')
                .body({
                    grant_type: 'password',
                    username: 'user@domain.tld',
                    password: 'parseword'
                });
        }

        await agent
            .post('session/')
            .body({
                grant_type: 'password',
                username: 'user@domain.tld',
                password: 'parseword'
            })
            .expectStatus(429)
            .matchHeaderSnapshot({
                'content-version': anyContentVersion,
                etag: anyEtag
            });
    });

    it('Is rate limited to protect against brute forcing whether a user exists', async function () {
        await dbUtils.truncate('brute');
        // +1 because this is a retry count, so we have one request + the retries, then blocked
        const userLoginRateLimit = configUtils.config.get('spam').user_login.freeRetries + 1;

        for (let i = 0; i < userLoginRateLimit; i++) {
            await agent
                .post('session/')
                .body({
                    grant_type: 'password',
                    username: `user+${i}@domain.tld`,
                    password: `parseword`
                });
        }

        await agent
            .post('session/')
            .body({
                grant_type: 'password',
                username: 'user@domain.tld',
                password: 'parseword'
            })
            .expectStatus(429)
            .matchHeaderSnapshot({
                'content-version': anyContentVersion,
                etag: anyEtag
            });
    });
});
🔒 Fixed rate limiting for user login (#15336) refs https://github.com/TryGhost/Team/issues/1074 Rather than relying on the global block to stop malicious actors from enumerating email addresses to determine who is and isn't a user, we want our user login brute force protection to be on an IP basis, rather than tied to the username. 2022-08-31 17:33:42 +03:00			`const {`
			`agentProvider,`
			`fixtureManager,`
			`matchers: {`
Added `Content-Version` header to all API requests refs https://github.com/TryGhost/Team/issues/2400 - we've deemed it useful to start to return `Content-Version` for all API requests, because it becomes useful to know which version of Ghost a response has come from in logs - this should also help us detect Admin<->Ghost API mismatches, which was the cause of a bug recently (ref'd issue) 2023-01-17 14:56:29 +03:00			`anyContentVersion,`
🔒 Fixed rate limiting for user login (#15336) refs https://github.com/TryGhost/Team/issues/1074 Rather than relying on the global block to stop malicious actors from enumerating email addresses to determine who is and isn't a user, we want our user login brute force protection to be on an IP basis, rather than tied to the username. 2022-08-31 17:33:42 +03:00			`anyEtag`
			`},`
			`dbUtils,`
			`configUtils`
			`} = require('../../utils/e2e-framework');`

			`describe('Sessions API', function () {`
			`let agent;`

			`before(async function () {`
			`agent = await agentProvider.getAdminAPIAgent();`
			`await fixtureManager.init();`
			`});`

			`it('Is rate limited to protect against brute forcing a users password', async function () {`
			`await dbUtils.truncate('brute');`
			`// +1 because this is a retry count, so we have one request + the retries, then blocked`
			`const userLoginRateLimit = configUtils.config.get('spam').user_login.freeRetries + 1;`

			`for (let i = 0; i < userLoginRateLimit; i++) {`
			`await agent`
			`.post('session/')`
			`.body({`
			`grant_type: 'password',`
			`username: 'user@domain.tld',`
			`password: 'parseword'`
			`});`
			`}`

			`await agent`
			`.post('session/')`
			`.body({`
			`grant_type: 'password',`
			`username: 'user@domain.tld',`
			`password: 'parseword'`
			`})`
			`.expectStatus(429)`
			`.matchHeaderSnapshot({`
Added `Content-Version` header to all API requests refs https://github.com/TryGhost/Team/issues/2400 - we've deemed it useful to start to return `Content-Version` for all API requests, because it becomes useful to know which version of Ghost a response has come from in logs - this should also help us detect Admin<->Ghost API mismatches, which was the cause of a bug recently (ref'd issue) 2023-01-17 14:56:29 +03:00			`'content-version': anyContentVersion,`
🔒 Fixed rate limiting for user login (#15336) refs https://github.com/TryGhost/Team/issues/1074 Rather than relying on the global block to stop malicious actors from enumerating email addresses to determine who is and isn't a user, we want our user login brute force protection to be on an IP basis, rather than tied to the username. 2022-08-31 17:33:42 +03:00			`etag: anyEtag`
			`});`
			`});`

			`it('Is rate limited to protect against brute forcing whether a user exists', async function () {`
			`await dbUtils.truncate('brute');`
			`// +1 because this is a retry count, so we have one request + the retries, then blocked`
			`const userLoginRateLimit = configUtils.config.get('spam').user_login.freeRetries + 1;`

			`for (let i = 0; i < userLoginRateLimit; i++) {`
			`await agent`
			`.post('session/')`
			`.body({`
			`grant_type: 'password',`
			username: `user+${i}@domain.tld`,
			password: `parseword`
			`});`
			`}`

			`await agent`
			`.post('session/')`
			`.body({`
			`grant_type: 'password',`
			`username: 'user@domain.tld',`
			`password: 'parseword'`
			`})`
			`.expectStatus(429)`
			`.matchHeaderSnapshot({`
Added `Content-Version` header to all API requests refs https://github.com/TryGhost/Team/issues/2400 - we've deemed it useful to start to return `Content-Version` for all API requests, because it becomes useful to know which version of Ghost a response has come from in logs - this should also help us detect Admin<->Ghost API mismatches, which was the cause of a bug recently (ref'd issue) 2023-01-17 14:56:29 +03:00			`'content-version': anyContentVersion,`
🔒 Fixed rate limiting for user login (#15336) refs https://github.com/TryGhost/Team/issues/1074 Rather than relying on the global block to stop malicious actors from enumerating email addresses to determine who is and isn't a user, we want our user login brute force protection to be on an IP basis, rather than tied to the username. 2022-08-31 17:33:42 +03:00			`etag: anyEtag`
			`});`
			`});`
			`});`