mirror of
https://github.com/pocket-id/pocket-id.git
synced 2026-05-16 18:09:52 +00:00
64d4ac7919
Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com> Co-authored-by: Kyle Mendell <kmendell@ofkm.us> Co-authored-by: Elias Schneider <login@eliasschneider.com>
112 lines
2.7 KiB
Go
112 lines
2.7 KiB
Go
//go:build !exclude_frontend
|
|
|
|
package frontend
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
"testing/fstest"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestIsSPARequest(t *testing.T) {
|
|
distFS := fstest.MapFS{
|
|
"assets/app.js": &fstest.MapFile{Data: []byte("console.log('test')")},
|
|
}
|
|
|
|
t.Run("root path is spa request", func(t *testing.T) {
|
|
assert.True(t, isSPARequest("", distFS))
|
|
})
|
|
|
|
t.Run("existing bundled asset is not spa request", func(t *testing.T) {
|
|
assert.False(t, isSPARequest("assets/app.js", distFS))
|
|
})
|
|
|
|
t.Run("unknown path is spa request", func(t *testing.T) {
|
|
assert.True(t, isSPARequest("authorize", distFS))
|
|
})
|
|
}
|
|
|
|
func TestRateLimitOnlyForOAuth2AuthorizationPostRequest(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
|
|
distFS := fstest.MapFS{
|
|
"assets/app.js": &fstest.MapFile{Data: []byte("console.log('test')")},
|
|
}
|
|
|
|
t.Run("rate limits spa form_post request", func(t *testing.T) {
|
|
rateLimited := false
|
|
nextCalled := false
|
|
middleware := rateLimitOnlyForOAuth2AuthorizationPostRequest(func(c *gin.Context) {
|
|
rateLimited = true
|
|
c.Abort()
|
|
}, distFS)
|
|
|
|
router := gin.New()
|
|
router.NoRoute(
|
|
middleware,
|
|
func(c *gin.Context) {
|
|
nextCalled = true
|
|
},
|
|
)
|
|
|
|
recorder := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/authorize?response_mode=form_post&client_id=test&redirect_uri=https://example.com/callback", nil)
|
|
router.ServeHTTP(recorder, req)
|
|
|
|
assert.True(t, rateLimited)
|
|
assert.False(t, nextCalled)
|
|
})
|
|
|
|
t.Run("does not rate limit page request with no form_post params", func(t *testing.T) {
|
|
rateLimited := false
|
|
nextCalled := false
|
|
middleware := rateLimitOnlyForOAuth2AuthorizationPostRequest(func(c *gin.Context) {
|
|
rateLimited = true
|
|
c.Abort()
|
|
}, distFS)
|
|
|
|
router := gin.New()
|
|
router.NoRoute(
|
|
middleware,
|
|
func(c *gin.Context) {
|
|
nextCalled = true
|
|
},
|
|
)
|
|
|
|
recorder := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/authorize", nil)
|
|
router.ServeHTTP(recorder, req)
|
|
|
|
assert.False(t, rateLimited)
|
|
assert.True(t, nextCalled)
|
|
})
|
|
|
|
t.Run("does not rate limit static asset request with form_post params", func(t *testing.T) {
|
|
rateLimited := false
|
|
nextCalled := false
|
|
middleware := rateLimitOnlyForOAuth2AuthorizationPostRequest(func(c *gin.Context) {
|
|
rateLimited = true
|
|
c.Abort()
|
|
}, distFS)
|
|
|
|
router := gin.New()
|
|
router.NoRoute(
|
|
middleware,
|
|
func(c *gin.Context) {
|
|
nextCalled = true
|
|
},
|
|
)
|
|
|
|
recorder := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/assets/app.js?response_mode=form_post&client_id=test&redirect_uri=https://example.com/callback", nil)
|
|
router.ServeHTTP(recorder, req)
|
|
|
|
assert.False(t, rateLimited)
|
|
assert.True(t, nextCalled)
|
|
})
|
|
}
|