1
0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-02 15:55:08 +03:00
Ghost/ghost/core/test/e2e-api/admin/rate-limiting.test.js
Daniel Lockyer 9ba251238a Added Content-Version header to all API requests
refs https://github.com/TryGhost/Team/issues/2400

- we've deemed it useful to start to return `Content-Version` for all
  API requests, because it becomes useful to know which version of Ghost
  a response has come from in logs
- this should also help us detect Admin<->Ghost API mismatches, which
  was the cause of a bug recently (ref'd issue)
2023-01-18 08:38:07 +01:00

78 lines
2.4 KiB
JavaScript

const {
agentProvider,
fixtureManager,
matchers: {
anyContentVersion,
anyEtag
},
dbUtils,
configUtils
} = require('../../utils/e2e-framework');
describe('Sessions API', function () {
let agent;
before(async function () {
agent = await agentProvider.getAdminAPIAgent();
await fixtureManager.init();
});
it('Is rate limited to protect against brute forcing a users password', async function () {
await dbUtils.truncate('brute');
// +1 because this is a retry count, so we have one request + the retries, then blocked
const userLoginRateLimit = configUtils.config.get('spam').user_login.freeRetries + 1;
for (let i = 0; i < userLoginRateLimit; i++) {
await agent
.post('session/')
.body({
grant_type: 'password',
username: 'user@domain.tld',
password: 'parseword'
});
}
await agent
.post('session/')
.body({
grant_type: 'password',
username: 'user@domain.tld',
password: 'parseword'
})
.expectStatus(429)
.matchHeaderSnapshot({
'content-version': anyContentVersion,
etag: anyEtag
});
});
it('Is rate limited to protect against brute forcing whether a user exists', async function () {
await dbUtils.truncate('brute');
// +1 because this is a retry count, so we have one request + the retries, then blocked
const userLoginRateLimit = configUtils.config.get('spam').user_login.freeRetries + 1;
for (let i = 0; i < userLoginRateLimit; i++) {
await agent
.post('session/')
.body({
grant_type: 'password',
username: `user+${i}@domain.tld`,
password: `parseword`
});
}
await agent
.post('session/')
.body({
grant_type: 'password',
username: 'user@domain.tld',
password: 'parseword'
})
.expectStatus(429)
.matchHeaderSnapshot({
'content-version': anyContentVersion,
etag: anyEtag
});
});
});