mirror of
https://github.com/kikootwo/ReadMeABook.git
synced 2026-06-03 04:40:09 +00:00
Michael Borohovski
123 lines
3.4 KiB
TypeScript
123 lines
3.4 KiB
TypeScript
/**
|
|
* Component: API Token Rate Limit Tests
|
|
* Documentation: documentation/backend/services/auth.md
|
|
*/
|
|
|
|
import { beforeEach, describe, expect, it, vi } from 'vitest';
|
|
import {
|
|
checkApiTokenCreateRateLimit,
|
|
checkApiTokenRevokeRateLimit,
|
|
} from '@/lib/utils/apiTokenRateLimit';
|
|
|
|
describe('API Token Rate Limiting', () => {
|
|
beforeEach(() => {
|
|
vi.useFakeTimers();
|
|
});
|
|
|
|
afterEach(() => {
|
|
vi.useRealTimers();
|
|
});
|
|
|
|
describe('checkApiTokenCreateRateLimit', () => {
|
|
it('allows requests under the limit', () => {
|
|
const actorId = 'user-create-1';
|
|
|
|
for (let i = 0; i < 10; i++) {
|
|
const result = checkApiTokenCreateRateLimit(actorId);
|
|
expect(result.allowed).toBe(true);
|
|
}
|
|
});
|
|
|
|
it('blocks requests over the limit (10/min)', () => {
|
|
const actorId = 'user-create-2';
|
|
|
|
// Use up the limit
|
|
for (let i = 0; i < 10; i++) {
|
|
checkApiTokenCreateRateLimit(actorId);
|
|
}
|
|
|
|
// 11th request should be blocked
|
|
const result = checkApiTokenCreateRateLimit(actorId);
|
|
expect(result.allowed).toBe(false);
|
|
expect(result.retryAfterSeconds).toBeGreaterThan(0);
|
|
});
|
|
|
|
it('resets after the window expires', () => {
|
|
const actorId = 'user-create-3';
|
|
|
|
// Use up the limit
|
|
for (let i = 0; i < 10; i++) {
|
|
checkApiTokenCreateRateLimit(actorId);
|
|
}
|
|
|
|
// Should be blocked
|
|
expect(checkApiTokenCreateRateLimit(actorId).allowed).toBe(false);
|
|
|
|
// Advance time past the window (60 seconds)
|
|
vi.advanceTimersByTime(61 * 1000);
|
|
|
|
// Should be allowed again
|
|
expect(checkApiTokenCreateRateLimit(actorId).allowed).toBe(true);
|
|
});
|
|
|
|
it('tracks different actors separately', () => {
|
|
const actor1 = 'user-create-4';
|
|
const actor2 = 'user-create-5';
|
|
|
|
// Use up actor1's limit
|
|
for (let i = 0; i < 10; i++) {
|
|
checkApiTokenCreateRateLimit(actor1);
|
|
}
|
|
|
|
// actor1 should be blocked
|
|
expect(checkApiTokenCreateRateLimit(actor1).allowed).toBe(false);
|
|
|
|
// actor2 should still be allowed
|
|
expect(checkApiTokenCreateRateLimit(actor2).allowed).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe('checkApiTokenRevokeRateLimit', () => {
|
|
it('allows requests under the limit', () => {
|
|
const actorId = 'user-revoke-1';
|
|
|
|
for (let i = 0; i < 20; i++) {
|
|
const result = checkApiTokenRevokeRateLimit(actorId);
|
|
expect(result.allowed).toBe(true);
|
|
}
|
|
});
|
|
|
|
it('blocks requests over the limit (20/min)', () => {
|
|
const actorId = 'user-revoke-2';
|
|
|
|
// Use up the limit
|
|
for (let i = 0; i < 20; i++) {
|
|
checkApiTokenRevokeRateLimit(actorId);
|
|
}
|
|
|
|
// 21st request should be blocked
|
|
const result = checkApiTokenRevokeRateLimit(actorId);
|
|
expect(result.allowed).toBe(false);
|
|
expect(result.retryAfterSeconds).toBeGreaterThan(0);
|
|
});
|
|
|
|
it('returns correct retryAfterSeconds', () => {
|
|
const actorId = 'user-revoke-3';
|
|
|
|
// Use up the limit
|
|
for (let i = 0; i < 20; i++) {
|
|
checkApiTokenRevokeRateLimit(actorId);
|
|
}
|
|
|
|
// Advance 30 seconds into the window
|
|
vi.advanceTimersByTime(30 * 1000);
|
|
|
|
const result = checkApiTokenRevokeRateLimit(actorId);
|
|
expect(result.allowed).toBe(false);
|
|
// Should have ~30 seconds left
|
|
expect(result.retryAfterSeconds).toBeLessThanOrEqual(30);
|
|
expect(result.retryAfterSeconds).toBeGreaterThan(0);
|
|
});
|
|
});
|
|
});
|