Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/requests/rack_attack_global_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/requests/rack_attack_global_spec.rb')
-rw-r--r--spec/requests/rack_attack_global_spec.rb32
1 files changed, 32 insertions, 0 deletions
diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb
index 793438808a5..f2126e3cf9c 100644
--- a/spec/requests/rack_attack_global_spec.rb
+++ b/spec/requests/rack_attack_global_spec.rb
@@ -4,6 +4,7 @@ require 'spec_helper'
RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_caching do
include RackAttackSpecHelpers
+ include SessionHelpers
let(:settings) { Gitlab::CurrentSettings.current_application_settings }
@@ -63,6 +64,22 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac
end
end
+ describe 'API requests from the frontend', :api, :clean_gitlab_redis_sessions do
+ context 'when unauthenticated' do
+ it_behaves_like 'rate-limited frontend API requests' do
+ let(:throttle_setting_prefix) { 'throttle_unauthenticated' }
+ end
+ end
+
+ context 'when authenticated' do
+ it_behaves_like 'rate-limited frontend API requests' do
+ let_it_be(:personal_access_token) { create(:personal_access_token) }
+
+ let(:throttle_setting_prefix) { 'throttle_authenticated' }
+ end
+ end
+ end
+
describe 'API requests authenticated with personal access token', :api do
let_it_be(:user) { create(:user) }
let_it_be(:token) { create(:personal_access_token, user: user) }
@@ -184,6 +201,7 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac
context 'unauthenticated requests' do
let(:protected_path_that_does_not_require_authentication) do
+ # This is one of the default values for `application_settings.protected_paths`
'/users/sign_in'
end
@@ -227,6 +245,20 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac
expect_rejection { post protected_path_that_does_not_require_authentication, params: post_params }
end
+ it 'allows non-POST requests to protected paths over the rate limit' do
+ (1 + requests_per_period).times do
+ get protected_path_that_does_not_require_authentication
+ expect(response).to have_gitlab_http_status(:ok)
+ end
+ end
+
+ it 'allows POST requests to unprotected paths over the rate limit' do
+ (1 + requests_per_period).times do
+ post '/api/graphql'
+ expect(response).to have_gitlab_http_status(:ok)
+ end
+ end
+
it_behaves_like 'tracking when dry-run mode is set' do
let(:throttle_name) { 'throttle_unauthenticated_protected_paths' }
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-18 13:31:48 +0300