mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-11 09:53:32 +03:00
9ba251238a
refs https://github.com/TryGhost/Team/issues/2400 - we've deemed it useful to start to return `Content-Version` for all API requests, because it becomes useful to know which version of Ghost a response has come from in logs - this should also help us detect Admin<->Ghost API mismatches, which was the cause of a bug recently (ref'd issue)
78 lines
2.4 KiB
JavaScript
78 lines
2.4 KiB
JavaScript
const {
|
|
agentProvider,
|
|
fixtureManager,
|
|
matchers: {
|
|
anyContentVersion,
|
|
anyEtag
|
|
},
|
|
dbUtils,
|
|
configUtils
|
|
} = require('../../utils/e2e-framework');
|
|
|
|
describe('Sessions API', function () {
|
|
let agent;
|
|
|
|
before(async function () {
|
|
agent = await agentProvider.getAdminAPIAgent();
|
|
await fixtureManager.init();
|
|
});
|
|
|
|
it('Is rate limited to protect against brute forcing a users password', async function () {
|
|
await dbUtils.truncate('brute');
|
|
// +1 because this is a retry count, so we have one request + the retries, then blocked
|
|
const userLoginRateLimit = configUtils.config.get('spam').user_login.freeRetries + 1;
|
|
|
|
for (let i = 0; i < userLoginRateLimit; i++) {
|
|
await agent
|
|
.post('session/')
|
|
.body({
|
|
grant_type: 'password',
|
|
username: 'user@domain.tld',
|
|
password: 'parseword'
|
|
});
|
|
}
|
|
|
|
await agent
|
|
.post('session/')
|
|
.body({
|
|
grant_type: 'password',
|
|
username: 'user@domain.tld',
|
|
password: 'parseword'
|
|
})
|
|
.expectStatus(429)
|
|
.matchHeaderSnapshot({
|
|
'content-version': anyContentVersion,
|
|
etag: anyEtag
|
|
});
|
|
});
|
|
|
|
it('Is rate limited to protect against brute forcing whether a user exists', async function () {
|
|
await dbUtils.truncate('brute');
|
|
// +1 because this is a retry count, so we have one request + the retries, then blocked
|
|
const userLoginRateLimit = configUtils.config.get('spam').user_login.freeRetries + 1;
|
|
|
|
for (let i = 0; i < userLoginRateLimit; i++) {
|
|
await agent
|
|
.post('session/')
|
|
.body({
|
|
grant_type: 'password',
|
|
username: `user+${i}@domain.tld`,
|
|
password: `parseword`
|
|
});
|
|
}
|
|
|
|
await agent
|
|
.post('session/')
|
|
.body({
|
|
grant_type: 'password',
|
|
username: 'user@domain.tld',
|
|
password: 'parseword'
|
|
})
|
|
.expectStatus(429)
|
|
.matchHeaderSnapshot({
|
|
'content-version': anyContentVersion,
|
|
etag: anyEtag
|
|
});
|
|
});
|
|
});
|