Add tests for security hardening: deleted user auth rejection, rate limiting

2026-06-02 20:30:10 +00:00 · 2026-03-03 15:45:07 -08:00
parent 04b6a2c135
commit f0b2476b87
3 changed files with 222 additions and 0 deletions
@@ -0,0 +1,122 @@
+/**
+ * Component: API Token Rate Limit Tests
+ * Documentation: documentation/backend/services/auth.md
+ */
+
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+import {
+  checkApiTokenCreateRateLimit,
+  checkApiTokenRevokeRateLimit,
+} from '@/lib/utils/apiTokenRateLimit';
+
+describe('API Token Rate Limiting', () => {
+  beforeEach(() => {
+    vi.useFakeTimers();
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+  });
+
+  describe('checkApiTokenCreateRateLimit', () => {
+    it('allows requests under the limit', () => {
+      const actorId = 'user-create-1';
+
+      for (let i = 0; i < 10; i++) {
+        const result = checkApiTokenCreateRateLimit(actorId);
+        expect(result.allowed).toBe(true);
+      }
+    });
+
+    it('blocks requests over the limit (10/min)', () => {
+      const actorId = 'user-create-2';
+
+      // Use up the limit
+      for (let i = 0; i < 10; i++) {
+        checkApiTokenCreateRateLimit(actorId);
+      }
+
+      // 11th request should be blocked
+      const result = checkApiTokenCreateRateLimit(actorId);
+      expect(result.allowed).toBe(false);
+      expect(result.retryAfterSeconds).toBeGreaterThan(0);
+    });
+
+    it('resets after the window expires', () => {
+      const actorId = 'user-create-3';
+
+      // Use up the limit
+      for (let i = 0; i < 10; i++) {
+        checkApiTokenCreateRateLimit(actorId);
+      }
+
+      // Should be blocked
+      expect(checkApiTokenCreateRateLimit(actorId).allowed).toBe(false);
+
+      // Advance time past the window (60 seconds)
+      vi.advanceTimersByTime(61 * 1000);
+
+      // Should be allowed again
+      expect(checkApiTokenCreateRateLimit(actorId).allowed).toBe(true);
+    });
+
+    it('tracks different actors separately', () => {
+      const actor1 = 'user-create-4';
+      const actor2 = 'user-create-5';
+
+      // Use up actor1's limit
+      for (let i = 0; i < 10; i++) {
+        checkApiTokenCreateRateLimit(actor1);
+      }
+
+      // actor1 should be blocked
+      expect(checkApiTokenCreateRateLimit(actor1).allowed).toBe(false);
+
+      // actor2 should still be allowed
+      expect(checkApiTokenCreateRateLimit(actor2).allowed).toBe(true);
+    });
+  });
+
+  describe('checkApiTokenRevokeRateLimit', () => {
+    it('allows requests under the limit', () => {
+      const actorId = 'user-revoke-1';
+
+      for (let i = 0; i < 20; i++) {
+        const result = checkApiTokenRevokeRateLimit(actorId);
+        expect(result.allowed).toBe(true);
+      }
+    });
+
+    it('blocks requests over the limit (20/min)', () => {
+      const actorId = 'user-revoke-2';
+
+      // Use up the limit
+      for (let i = 0; i < 20; i++) {
+        checkApiTokenRevokeRateLimit(actorId);
+      }
+
+      // 21st request should be blocked
+      const result = checkApiTokenRevokeRateLimit(actorId);
+      expect(result.allowed).toBe(false);
+      expect(result.retryAfterSeconds).toBeGreaterThan(0);
+    });
+
+    it('returns correct retryAfterSeconds', () => {
+      const actorId = 'user-revoke-3';
+
+      // Use up the limit
+      for (let i = 0; i < 20; i++) {
+        checkApiTokenRevokeRateLimit(actorId);
+      }
+
+      // Advance 30 seconds into the window
+      vi.advanceTimersByTime(30 * 1000);
+
+      const result = checkApiTokenRevokeRateLimit(actorId);
+      expect(result.allowed).toBe(false);
+      // Should have ~30 seconds left
+      expect(result.retryAfterSeconds).toBeLessThanOrEqual(30);
+      expect(result.retryAfterSeconds).toBeGreaterThan(0);
+    });
+  });
+});