Rate Testing#1605
Conversation
|
This is to note that PR #1593 may change the route location of the login and this could impact this PR. OED really should check all route names to verify they are correct compared to usage here and the upcoming test code (this part is outside the scope of the PR). |
huss
left a comment
huss
left a comment
There was a problem hiding this comment.
@Zach-O-Bates Thanks for working on this issue. Overall it is okay but I've made some comments to consider. Please let me know if anything is not clear or you have questions/thoughts.
| }); | ||
| expect(first).to.have.status(401); | ||
|
|
||
| const second = await chai.request(app) |
There was a problem hiding this comment.
This implicitly assumes the rate is 1 request per a unit of time and that the test runs fast enough to not cross that amount of time between the first and second attempt. That should be okay but a comment should make it explicit. Note if the time frame of the limit is changed as suggested in another comment (to per hour) then the odds of this happening goes to zero but the rationale should still be commented.
| * License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | ||
|
|
||
| /* This file tests the login route rate limiting functionality. |
There was a problem hiding this comment.
The name of this file does not seem to scope it as only for login (rateTest.js). I think the name should stay the same but the comment state it currently only does the login route. There should also be a TODO to check every rate limit in app.js.
I think an issue should be opened to say this needs to be done (unless you do it now which I'm assuming you are not). Would you like to do that or should I?
| @@ -0,0 +1,37 @@ | |||
| /* This Source Code Form is subject to the terms of the Mozilla Public | |||
There was a problem hiding this comment.
The location of this file seems off. package.json has src/server/rateTest/**/*.js which seems reasonable. The test will not run at this time with the package script. I'm putting off testing until this and other comments are resolved.
There was a problem hiding this comment.
Thanks for fixing the location of the file. I know I said the proposed location was okay but I've reconsidered. How would you feel about changing the directory name from rateTest/ to testRate/. That would mean it would be listed next to the test/ directory and that seems useful to me.
huss
left a comment
huss
left a comment
There was a problem hiding this comment.
@Zach-O-Bates Thank you for addressing my previous comments. I have made a couple of new ones and also commented on a couple of older ones. I think this is getting much closer. Please let me know if anything is not clear or you have thoughts/questions.
| const loginLimiter = rateLimit({ | ||
| // Window of 1 hour | ||
| windowMs: 60 * 60 * 1000, | ||
| /* Rationale: The login route requires a more specifc and strict rate limit that must be tested seperately. |
There was a problem hiding this comment.
Misspelled: specifc, seperately & enviroment
| It ensures that repeated login attempts are blocked after | ||
| exceeding the configured rate limit. */ | ||
|
|
||
| // TODO: Create additonal rate limits tests for other OED Routes |
| * License, v. 2.0. If a copy of the MPL was not distributed with this | ||
| * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | ||
|
|
||
| /* This file tests the login route rate limiting functionality. |
| @@ -0,0 +1,37 @@ | |||
| /* This Source Code Form is subject to the terms of the Mozilla Public | |||
There was a problem hiding this comment.
Thanks for fixing the location of the file. I know I said the proposed location was okay but I've reconsidered. How would you feel about changing the directory name from rateTest/ to testRate/. That would mean it would be listed next to the test/ directory and that seems useful to me.
| }); | ||
|
|
||
| //First request that makes it through to authentication | ||
| expect(first).to.have.status(HTTP_CODE.UNAUTHORIZED); |
There was a problem hiding this comment.
This test is failing on my machine. It is giving a 404/NOT_FOUND instead of 401/UNAUTHORIZED. I have not looked into why. Do you see that when you do npm run rateTest?
I'm going to put off testing all the new package script choices until this is resolved.
| //First request that makes it through to authentication | ||
| expect(first).to.have.status(HTTP_CODE.UNAUTHORIZED); | ||
|
|
||
| const second = await chai.request(app) |
There was a problem hiding this comment.
Redoing comment since code moved. I had:
This implicitly assumes the rate is 1 request per a unit of time and that the test runs fast enough to not cross that amount of time between the first and second attempt. That should be okay but a comment should make it explicit. Note if the time frame of the limit is changed as suggested in another comment (to per hour) then the odds of this happening goes to zero but the rationale should still be commented.
I think discussing here that the limit should be 1 for an hour so this fails with a comment has value.
2 participants
Description
This pull request resolves issues with login rate limiting and test reliability. The login rate limiter was updated to behave differently based on environment variables, allowing normal tests to run without interference while enforcing strict limits during dedicated rate limit testing. A separate ratetest environment was introduced to properly validate 429 responses without impacting other test suites.
Fixes #1564
Type of change
(Check the ones that apply by placing an "x" instead of the space in the [ ] so it becomes [x])
Checklist
Limitations
N/A