From 635b935acc7e7e3bbbf5abff6dbc99bfe9cf5d98 Mon Sep 17 00:00:00 2001 From: Shane Kilkelly Date: Mon, 16 Jan 2017 11:46:59 +0000 Subject: [PATCH] Add an acceptance test for login rate limits, cleanup --- .../coffee/infrastructure/RateLimiter.coffee | 1 - .../coffee/RegistrationTests.coffee | 37 +++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/services/web/app/coffee/infrastructure/RateLimiter.coffee b/services/web/app/coffee/infrastructure/RateLimiter.coffee index 69050939fd..c749fa7e83 100644 --- a/services/web/app/coffee/infrastructure/RateLimiter.coffee +++ b/services/web/app/coffee/infrastructure/RateLimiter.coffee @@ -19,7 +19,6 @@ module.exports = RateLimiter = if err? return callback(err) allowed = timeLeft == 0 - console.log ">> limit", namespace, k, timeLeft, actionsLeft, ", allowed", allowed callback(null, allowed) clearRateLimit: (endpointName, subject, callback) -> diff --git a/services/web/test/acceptance/coffee/RegistrationTests.coffee b/services/web/test/acceptance/coffee/RegistrationTests.coffee index 2bf96f86de..20ea0a31b1 100644 --- a/services/web/test/acceptance/coffee/RegistrationTests.coffee +++ b/services/web/test/acceptance/coffee/RegistrationTests.coffee @@ -1,9 +1,11 @@ expect = require("chai").expect +assert = require("chai").assert async = require("async") User = require "./helpers/User" request = require "./helpers/request" settings = require "settings-sharelatex" redis = require "./helpers/redis" +_ = require 'lodash' @@ -32,6 +34,41 @@ tryLoginThroughRegistrationForm = (user, email, password, callback=(err, respons }, callback +describe "LoginRateLimit", -> + + before -> + @user = new User() + @badEmail = 'bademail@example.com' + @badPassword = 'badpassword' + + it 'should rate limit login attempts after 10 within two minutes', (done) -> + @user.request.get '/login', (err, res, body) => + async.timesSeries( + 15 + , (n, cb) => + @user.getCsrfToken (error) => + return cb(error) if error? + @user.request.post { + url: "/login" + json: + email: @badEmail + password: @badPassword + }, (err, response, body) => + cb(null, body?.message?.text) + , (err, results) => + # ten incorrect-credentials messages, then five rate-limit messages + expect(results.length).to.equal 15 + assert.deepEqual( + results, + _.concat( + _.fill([1..10], 'Your email or password is incorrect. Please try again'), + _.fill([1..5], 'This account has had too many login requests. Please wait 2 minutes before trying to log in again') + ) + ) + done() + ) + + describe "LoginViaRegistration", -> before (done) ->