Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/spec/components/auth/default_current_user_provid...

339 lines
9.9 KiB
Ruby
Raw Normal View History

Prepare for separation of RSpec helper files Since rspec-rails 3, the default installation creates two helper files: * `spec_helper.rb` * `rails_helper.rb` `spec_helper.rb` is intended as a way of running specs that do not require Rails, whereas `rails_helper.rb` loads Rails (as Discourse's current `spec_helper.rb` does). For more information: https://www.relishapp.com/rspec/rspec-rails/docs/upgrade#default-helper-files In this commit, I've simply replaced all instances of `spec_helper` with `rails_helper`, and renamed the original `spec_helper.rb`. This brings the Discourse project closer to the standard usage of RSpec in a Rails app. At present, every spec relies on loading Rails, but there are likely many that don't need to. In a future pull request, I hope to introduce a separate, minimal `spec_helper.rb` which can be used in tests which don't rely on Rails.
2015-10-11 05:41:23 -04:00
require 'rails_helper'
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
require_dependency 'auth/default_current_user_provider'
describe Auth::DefaultCurrentUserProvider do
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
class TestProvider < Auth::DefaultCurrentUserProvider
attr_reader :env
def initialize(env)
super(env)
end
end
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
def provider(url, opts = nil)
opts ||= { method: "GET" }
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
env = Rack::MockRequest.env_for(url, opts)
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
TestProvider.new(env)
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
end
it "raises errors for incorrect api_key" do
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
expect {
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
provider("/?api_key=INCORRECT").current_user
}.to raise_error(Discourse::InvalidAccess)
end
it "finds a user for a correct per-user api key" do
user = Fabricate(:user)
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1)
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(provider("/?api_key=hello").current_user.id).to eq(user.id)
SECURITY: inactive/suspended accounts should be banned from api Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:02:33 -05:00
user.update_columns(active: false)
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
expect {
SECURITY: inactive/suspended accounts should be banned from api Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:02:33 -05:00
provider("/?api_key=hello").current_user
}.to raise_error(Discourse::InvalidAccess)
user.update_columns(active: true, suspended_till: 1.day.from_now)
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
expect {
SECURITY: inactive/suspended accounts should be banned from api Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:02:33 -05:00
provider("/?api_key=hello").current_user
}.to raise_error(Discourse::InvalidAccess)
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
end
it "raises for a user pretending" do
user = Fabricate(:user)
user2 = Fabricate(:user)
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1)
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
expect {
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
provider("/?api_key=hello&api_username=#{user2.username.downcase}").current_user
}.to raise_error(Discourse::InvalidAccess)
end
FEATURE: allow restricting API keys to a particular range
2014-11-19 23:21:49 -05:00
it "raises for a user with a mismatching ip" do
user = Fabricate(:user)
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1, allowed_ips: ['10.0.0.0/24'])
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
expect {
FEATURE: allow restricting API keys to a particular range
2014-11-19 23:21:49 -05:00
provider("/?api_key=hello&api_username=#{user.username.downcase}", "REMOTE_ADDR" => "10.1.0.1").current_user
}.to raise_error(Discourse::InvalidAccess)
end
it "allows a user with a matching ip" do
user = Fabricate(:user)
test forwarding works as expected
2014-11-24 01:16:11 -05:00
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1, allowed_ips: ['100.0.0.0/24'])
FEATURE: allow restricting API keys to a particular range
2014-11-19 23:21:49 -05:00
found_user = provider("/?api_key=hello&api_username=#{user.username.downcase}",
test forwarding works as expected
2014-11-24 01:16:11 -05:00
"REMOTE_ADDR" => "100.0.0.22").current_user
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(found_user.id).to eq(user.id)
FEATURE: allow restricting API keys to a particular range
2014-11-19 23:21:49 -05:00
test forwarding works as expected
2014-11-24 01:16:11 -05:00
found_user = provider("/?api_key=hello&api_username=#{user.username.downcase}",
"HTTP_X_FORWARDED_FOR" => "10.1.1.1, 100.0.0.22").current_user
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(found_user.id).to eq(user.id)
FEATURE: allow restricting API keys to a particular range
2014-11-19 23:21:49 -05:00
end
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
it "finds a user for a correct system api key" do
user = Fabricate(:user)
ApiKey.create!(key: "hello", created_by_id: -1)
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(provider("/?api_key=hello&api_username=#{user.username.downcase}").current_user.id).to eq(user.id)
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
end
FIX: last seen date erroneously updated when browser in background In some cases user may be "last seen" even though browser tab is in the background or computer is locked
2017-02-28 12:34:57 -05:00
it "should not update last seen for ajax calls without Discourse-Visible header" do
expect(provider("/topic/anything/goes",
:method => "POST",
"HTTP_X_REQUESTED_WITH" => "XMLHttpRequest"
).should_update_last_seen?).to eq(false)
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
end
FIX: last seen date erroneously updated when browser in background In some cases user may be "last seen" even though browser tab is in the background or computer is locked
2017-02-28 12:34:57 -05:00
it "should update ajax reqs with discourse visible" do
expect(provider("/topic/anything/goes",
:method => "POST",
"HTTP_X_REQUESTED_WITH" => "XMLHttpRequest",
"HTTP_DISCOURSE_VISIBLE" => "true"
).should_update_last_seen?).to eq(true)
end
it "should update last seen for non ajax" do
few components with rspec3 syntax
2015-01-09 11:34:37 -05:00
expect(provider("/topic/anything/goes", method: "POST").should_update_last_seen?).to eq(true)
expect(provider("/topic/anything/goes", method: "GET").should_update_last_seen?).to eq(true)
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
end
FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions.
2016-07-24 22:07:31 -04:00
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
it "correctly supports legacy tokens" do
user = Fabricate(:user)
token = SecureRandom.hex(16)
user_token = UserAuthToken.create!(user_id: user.id, auth_token: token,
prev_auth_token: token, legacy: true,
rotated_at: Time.zone.now
)
prov = provider("/", "HTTP_COOKIE" => "_t=#{user_token.auth_token}")
expect(prov.current_user.id).to eq(user.id)
# sets a new token up cause it got a global token
cookies = {}
prov.refresh_session(user, {}, cookies)
user.reload
expect(user.user_auth_tokens.count).to eq(2)
expect(cookies["_t"][:value]).not_to eq(token)
end
it "correctly rotates tokens" do
FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions.
2016-07-24 22:07:31 -04:00
SiteSetting.maximum_session_age = 3
user = Fabricate(:user)
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
@provider = provider('/')
cookies = {}
@provider.log_on_user(user, {}, cookies)
unhashed_token = cookies["_t"][:value]
token = UserAuthToken.find_by(user_id: user.id)
expect(token.auth_token_seen).to eq(false)
expect(token.auth_token).not_to eq(unhashed_token)
expect(token.auth_token).to eq(UserAuthToken.hash_token(unhashed_token))
# at this point we are going to try to rotate token
freeze_time 20.minutes.from_now
provider2 = provider("/", "HTTP_COOKIE" => "_t=#{unhashed_token}")
provider2.current_user
token.reload
expect(token.auth_token_seen).to eq(true)
FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions.
2016-07-24 22:07:31 -04:00
cookies = {}
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
provider2.refresh_session(user, {}, cookies)
expect(cookies["_t"][:value]).not_to eq(unhashed_token)
token.reload
expect(token.auth_token_seen).to eq(false)
freeze_time 21.minutes.from_now
old_token = token.prev_auth_token
unverified_token = token.auth_token
# old token should still work
provider2 = provider("/", "HTTP_COOKIE" => "_t=#{unhashed_token}")
expect(provider2.current_user.id).to eq(user.id)
provider2.refresh_session(user, {}, cookies)
token.reload
# because this should cause a rotation since we can safely
# assume it never reached the client
expect(token.prev_auth_token).to eq(old_token)
expect(token.auth_token).not_to eq(unverified_token)
FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions.
2016-07-24 22:07:31 -04:00
FIX: don't expire old sessions when logging in
2016-07-25 21:37:41 -04:00
end
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid
2016-07-27 22:58:49 -04:00
it "can only try 10 bad cookies a minute" do
SECURITY: do cookie auth rate limiting earlier
2016-08-08 20:02:18 -04:00
user = Fabricate(:user)
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
token = UserAuthToken.generate!(user_id: user.id)
SECURITY: do cookie auth rate limiting earlier
2016-08-08 20:02:18 -04:00
provider('/').log_on_user(user, {}, {})
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid
2016-07-27 22:58:49 -04:00
RateLimiter.stubs(:disabled?).returns(false)
RateLimiter.new(nil, "cookie_auth_10.0.0.1", 10, 60).clear!
RateLimiter.new(nil, "cookie_auth_10.0.0.2", 10, 60).clear!
ip = "10.0.0.1"
env = { "HTTP_COOKIE" => "_t=#{SecureRandom.hex}", "REMOTE_ADDR" => ip }
10.times do
provider('/', env).current_user
end
SECURITY: do cookie auth rate limiting earlier
2016-08-08 20:02:18 -04:00
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid
2016-07-27 22:58:49 -04:00
expect {
provider('/', env).current_user
}.to raise_error(Discourse::InvalidAccess)
SECURITY: do cookie auth rate limiting earlier
2016-08-08 20:02:18 -04:00
expect {
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
env["HTTP_COOKIE"] = "_t=#{token.unhashed_auth_token}"
SECURITY: do cookie auth rate limiting earlier
2016-08-08 20:02:18 -04:00
provider("/", env).current_user
}.to raise_error(Discourse::InvalidAccess)
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid
2016-07-27 22:58:49 -04:00
env["REMOTE_ADDR"] = "10.0.0.2"
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
expect {
provider('/', env).current_user
}.not_to raise_error
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid
2016-07-27 22:58:49 -04:00
end
it "correctly removes invalid cookies" do
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
cookies = { "_t" => SecureRandom.hex }
FIX: allow some auth token misses prior to clearing cookie It appears that in some cases ios queues up requests up front and "releases" them when tab gets focus, this allows for a certain number of cookie misses for this case. Otherwise you get logged off.
2017-02-22 12:36:58 -05:00
provider('/').refresh_session(nil, {}, cookies)
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid
2016-07-27 22:58:49 -04:00
expect(cookies.key?("_t")).to eq(false)
end
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
it "logging on user always creates a new token" do
FIX: don't expire old sessions when logging in
2016-07-25 21:37:41 -04:00
user = Fabricate(:user)
FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions.
2016-07-24 22:07:31 -04:00
FIX: don't expire old sessions when logging in
2016-07-25 21:37:41 -04:00
provider('/').log_on_user(user, {}, {})
provider('/').log_on_user(user, {}, {})
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
expect(UserAuthToken.where(user_id: user.id).count).to eq(2)
FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions.
2016-07-24 22:07:31 -04:00
end
FEATURE: add support for same site cookies Defaults to Lax, can be disabled or set to Strict. Strict will only work if you require login and use SSO. Otherwise when clicking on links to your site you will appear logged out till you refresh the page.
2017-02-23 12:01:28 -05:00
it "sets secure, same site lax cookies" do
SiteSetting.force_https = false
SiteSetting.same_site_cookies = "Lax"
user = Fabricate(:user)
cookies = {}
provider('/').log_on_user(user, {}, cookies)
expect(cookies["_t"][:same_site]).to eq("Lax")
expect(cookies["_t"][:httponly]).to eq(true)
expect(cookies["_t"][:secure]).to eq(false)
SiteSetting.force_https = true
SiteSetting.same_site_cookies = "Disabled"
cookies = {}
provider('/').log_on_user(user, {}, cookies)
expect(cookies["_t"][:secure]).to eq(true)
expect(cookies["_t"].key?(:same_site)).to eq(false)
end
FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions.
2016-07-24 22:07:31 -04:00
it "correctly expires session" do
SiteSetting.maximum_session_age = 2
user = Fabricate(:user)
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
token = UserAuthToken.generate!(user_id: user.id)
FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions.
2016-07-24 22:07:31 -04:00
provider('/').log_on_user(user, {}, {})
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
expect(provider("/", "HTTP_COOKIE" => "_t=#{token.unhashed_auth_token}").current_user.id).to eq(user.id)
FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions.
2016-07-24 22:07:31 -04:00
freeze_time 3.hours.from_now
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens.
2017-01-31 17:21:37 -05:00
expect(provider("/", "HTTP_COOKIE" => "_t=#{token.unhashed_auth_token}").current_user).to eq(nil)
FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions.
2016-07-24 22:07:31 -04:00
end
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent
2016-08-15 03:58:33 -04:00
context "user api" do
let :user do
Fabricate(:user)
end
let :api_key do
UserApiKey.create!(
application_name: 'my app',
client_id: '1234',
FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer.
2016-10-14 01:05:27 -04:00
scopes: ['read'],
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent
2016-08-15 03:58:33 -04:00
key: SecureRandom.hex,
user_id: user.id
)
end
it "allows user API access correctly" do
params = {
"REQUEST_METHOD" => "GET",
tweak headers so they can be consumed
2016-08-18 00:38:33 -04:00
"HTTP_USER_API_KEY" => api_key.key,
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent
2016-08-15 03:58:33 -04:00
}
SECURITY: don't grant same privileges to user_api and api access User API is no longer gets bypasses that standard API gets. Only bypasses are CSRF and XHR requirements.
2016-12-15 20:05:20 -05:00
good_provider = provider("/", params)
expect(good_provider.current_user.id).to eq(user.id)
expect(good_provider.is_api?).to eq(false)
expect(good_provider.is_user_api?).to eq(true)
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent
2016-08-15 03:58:33 -04:00
expect {
Add rubocop to our build. (#5004)
2017-07-27 21:20:09 -04:00
provider("/", params.merge("REQUEST_METHOD" => "POST")).current_user
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent
2016-08-15 03:58:33 -04:00
}.to raise_error(Discourse::InvalidAccess)
SECURITY: inactive/suspended accounts should be banned from api Also fixes edge cases around users presenting multiple credentials
2017-02-17 11:02:33 -05:00
user.update_columns(suspended_till: 1.year.from_now)
expect {
provider("/", params).current_user
}.to raise_error(Discourse::InvalidAccess)
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent
2016-08-15 03:58:33 -04:00
end
it "rate limits api usage" do
RateLimiter.stubs(:disabled?).returns(false)
limiter1 = RateLimiter.new(nil, "user_api_day_#{api_key.key}", 10, 60)
limiter2 = RateLimiter.new(nil, "user_api_min_#{api_key.key}", 10, 60)
limiter1.clear!
limiter2.clear!
SiteSetting.max_user_api_reqs_per_day = 3
SiteSetting.max_user_api_reqs_per_minute = 4
params = {
"REQUEST_METHOD" => "GET",
tweak headers so they can be consumed
2016-08-18 00:38:33 -04:00
"HTTP_USER_API_KEY" => api_key.key,
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent
2016-08-15 03:58:33 -04:00
}
3.times do
provider("/", params).current_user
end
expect {
provider("/", params).current_user
}.to raise_error(RateLimiter::LimitExceeded)
SiteSetting.max_user_api_reqs_per_day = 4
SiteSetting.max_user_api_reqs_per_minute = 3
limiter1.clear!
limiter2.clear!
3.times do
provider("/", params).current_user
end
expect {
provider("/", params).current_user
}.to raise_error(RateLimiter::LimitExceeded)
end
end
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433.
2014-05-22 18:13:25 -04:00
end