Jean-Luc Makiola
afab8175f9
- Add createRateLimit(maxAttempts, windowMs) factory function - Rewrite rateLimit export to delegate to factory (backward compatible) - Keep shared store, getClientIp, cleanup, and _resetForTesting unchanged - Add createRateLimit factory test suite with 5 test cases - All existing rateLimit middleware tests still pass
181 lines
5.2 KiB
TypeScript
181 lines
5.2 KiB
TypeScript
import { beforeEach, describe, expect, it } from "bun:test";
|
|
import { Hono } from "hono";
|
|
import {
|
|
_resetForTesting,
|
|
createRateLimit,
|
|
rateLimit,
|
|
} from "../../src/server/middleware/rateLimit";
|
|
|
|
function createApp() {
|
|
const app = new Hono();
|
|
app.post("/login", rateLimit, (c) => c.json({ ok: true }));
|
|
app.post("/setup", rateLimit, (c) => c.json({ ok: true }));
|
|
return app;
|
|
}
|
|
|
|
function makeRequest(app: Hono, path: string, ip = "127.0.0.1") {
|
|
return app.request(path, {
|
|
method: "POST",
|
|
headers: { "x-forwarded-for": ip },
|
|
});
|
|
}
|
|
|
|
function makeGetRequest(app: Hono, path: string, ip = "127.0.0.1") {
|
|
return app.request(path, {
|
|
method: "GET",
|
|
headers: { "x-forwarded-for": ip },
|
|
});
|
|
}
|
|
|
|
describe("rateLimit middleware", () => {
|
|
beforeEach(() => {
|
|
_resetForTesting();
|
|
});
|
|
|
|
it("allows first request through", async () => {
|
|
const app = createApp();
|
|
const res = await makeRequest(app, "/login");
|
|
expect(res.status).toBe(200);
|
|
});
|
|
|
|
it("allows up to 5 requests", async () => {
|
|
const app = createApp();
|
|
for (let i = 0; i < 5; i++) {
|
|
const res = await makeRequest(app, "/login");
|
|
expect(res.status).toBe(200);
|
|
}
|
|
});
|
|
|
|
it("returns 429 after 5 requests", async () => {
|
|
const app = createApp();
|
|
for (let i = 0; i < 5; i++) {
|
|
await makeRequest(app, "/login");
|
|
}
|
|
const res = await makeRequest(app, "/login");
|
|
expect(res.status).toBe(429);
|
|
const body = await res.json();
|
|
expect(body.error).toBe("Too many attempts. Try again later.");
|
|
});
|
|
|
|
it("includes Retry-After header on 429", async () => {
|
|
const app = createApp();
|
|
for (let i = 0; i < 5; i++) {
|
|
await makeRequest(app, "/login");
|
|
}
|
|
const res = await makeRequest(app, "/login");
|
|
expect(res.status).toBe(429);
|
|
const retryAfter = res.headers.get("Retry-After");
|
|
expect(retryAfter).toBeTruthy();
|
|
expect(Number(retryAfter)).toBeGreaterThan(0);
|
|
});
|
|
|
|
it("tracks different IPs independently", async () => {
|
|
const app = createApp();
|
|
for (let i = 0; i < 5; i++) {
|
|
await makeRequest(app, "/login", "10.0.0.1");
|
|
}
|
|
const blocked = await makeRequest(app, "/login", "10.0.0.1");
|
|
expect(blocked.status).toBe(429);
|
|
const allowed = await makeRequest(app, "/login", "10.0.0.2");
|
|
expect(allowed.status).toBe(200);
|
|
});
|
|
|
|
it("tracks different paths independently", async () => {
|
|
const app = createApp();
|
|
for (let i = 0; i < 5; i++) {
|
|
await makeRequest(app, "/login");
|
|
}
|
|
const blockedLogin = await makeRequest(app, "/login");
|
|
expect(blockedLogin.status).toBe(429);
|
|
const allowedSetup = await makeRequest(app, "/setup");
|
|
expect(allowedSetup.status).toBe(200);
|
|
});
|
|
});
|
|
|
|
describe("createRateLimit factory", () => {
|
|
beforeEach(() => {
|
|
_resetForTesting();
|
|
});
|
|
|
|
it("blocks on 4th request when limit is 3", async () => {
|
|
const limit3 = createRateLimit(3, 60_000);
|
|
const app = new Hono();
|
|
app.get("/items", limit3, (c) => c.json({ ok: true }));
|
|
|
|
for (let i = 0; i < 3; i++) {
|
|
const res = await makeGetRequest(app, "/items");
|
|
expect(res.status).toBe(200);
|
|
}
|
|
const res = await makeGetRequest(app, "/items");
|
|
expect(res.status).toBe(429);
|
|
});
|
|
|
|
it("allows exactly 10 requests then blocks on 11th", async () => {
|
|
const limit10 = createRateLimit(10, 60_000);
|
|
const app = new Hono();
|
|
app.get("/catalog", limit10, (c) => c.json({ ok: true }));
|
|
|
|
for (let i = 0; i < 10; i++) {
|
|
const res = await makeGetRequest(app, "/catalog");
|
|
expect(res.status).toBe(200);
|
|
}
|
|
const res = await makeGetRequest(app, "/catalog");
|
|
expect(res.status).toBe(429);
|
|
});
|
|
|
|
it("tracks different IPs independently", async () => {
|
|
const limit3 = createRateLimit(3, 60_000);
|
|
const app = new Hono();
|
|
app.get("/items", limit3, (c) => c.json({ ok: true }));
|
|
|
|
for (let i = 0; i < 3; i++) {
|
|
await makeGetRequest(app, "/items", "192.168.1.1");
|
|
}
|
|
const blocked = await makeGetRequest(app, "/items", "192.168.1.1");
|
|
expect(blocked.status).toBe(429);
|
|
|
|
// Different IP should still be allowed
|
|
const allowed = await makeGetRequest(app, "/items", "192.168.1.2");
|
|
expect(allowed.status).toBe(200);
|
|
});
|
|
|
|
it("includes Retry-After header on 429 response", async () => {
|
|
const limit2 = createRateLimit(2, 60_000);
|
|
const app = new Hono();
|
|
app.get("/tags", limit2, (c) => c.json({ ok: true }));
|
|
|
|
await makeGetRequest(app, "/tags");
|
|
await makeGetRequest(app, "/tags");
|
|
const res = await makeGetRequest(app, "/tags");
|
|
|
|
expect(res.status).toBe(429);
|
|
const retryAfter = res.headers.get("Retry-After");
|
|
expect(retryAfter).toBeTruthy();
|
|
expect(Number(retryAfter)).toBeGreaterThan(0);
|
|
});
|
|
|
|
it("two instances with different limits operate independently", async () => {
|
|
const limit3 = createRateLimit(3, 60_000);
|
|
const limit5 = createRateLimit(5, 60_000);
|
|
|
|
const app = new Hono();
|
|
app.get("/browse", limit3, (c) => c.json({ ok: true }));
|
|
app.get("/detail", limit5, (c) => c.json({ ok: true }));
|
|
|
|
// Exhaust browse limit (3)
|
|
for (let i = 0; i < 3; i++) {
|
|
await makeGetRequest(app, "/browse");
|
|
}
|
|
const blockedBrowse = await makeGetRequest(app, "/browse");
|
|
expect(blockedBrowse.status).toBe(429);
|
|
|
|
// Detail endpoint still has its own limit (5) and should work
|
|
for (let i = 0; i < 5; i++) {
|
|
const res = await makeGetRequest(app, "/detail");
|
|
expect(res.status).toBe(200);
|
|
}
|
|
const blockedDetail = await makeGetRequest(app, "/detail");
|
|
expect(blockedDetail.status).toBe(429);
|
|
});
|
|
});
|