-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathratelimit_test.go
More file actions
240 lines (203 loc) · 7.14 KB
/
ratelimit_test.go
File metadata and controls
240 lines (203 loc) · 7.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
// SPDX-License-Identifier: EUPL-1.2
package api_test
import (
"encoding/json"
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/gin-gonic/gin"
api "dappco.re/go/core/api"
)
type rateLimitTestGroup struct{}
func (r *rateLimitTestGroup) Name() string { return "rate-limit" }
func (r *rateLimitTestGroup) BasePath() string { return "/rate" }
func (r *rateLimitTestGroup) RegisterRoutes(rg *gin.RouterGroup) {
rg.GET("/ping", func(c *gin.Context) {
c.JSON(http.StatusOK, api.OK("pong"))
})
}
func TestWithRateLimit_Good_AllowsBurstThenRejects(t *testing.T) {
gin.SetMode(gin.TestMode)
e, _ := api.New(api.WithRateLimit(2))
e.Register(&rateLimitTestGroup{})
h := e.Handler()
w1 := httptest.NewRecorder()
req1, _ := http.NewRequest(http.MethodGet, "/rate/ping", nil)
req1.RemoteAddr = "203.0.113.10:1234"
h.ServeHTTP(w1, req1)
if w1.Code != http.StatusOK {
t.Fatalf("expected first request to succeed, got %d", w1.Code)
}
if got := w1.Header().Get("X-RateLimit-Limit"); got != "2" {
t.Fatalf("expected X-RateLimit-Limit=2, got %q", got)
}
if got := w1.Header().Get("X-RateLimit-Remaining"); got != "1" {
t.Fatalf("expected X-RateLimit-Remaining=1, got %q", got)
}
if got := w1.Header().Get("X-RateLimit-Reset"); got == "" {
t.Fatal("expected X-RateLimit-Reset on successful response")
}
w2 := httptest.NewRecorder()
req2, _ := http.NewRequest(http.MethodGet, "/rate/ping", nil)
req2.RemoteAddr = "203.0.113.10:1234"
h.ServeHTTP(w2, req2)
if w2.Code != http.StatusOK {
t.Fatalf("expected second request to succeed, got %d", w2.Code)
}
w3 := httptest.NewRecorder()
req3, _ := http.NewRequest(http.MethodGet, "/rate/ping", nil)
req3.RemoteAddr = "203.0.113.10:1234"
h.ServeHTTP(w3, req3)
if w3.Code != http.StatusTooManyRequests {
t.Fatalf("expected third request to be rate limited, got %d", w3.Code)
}
if got := w3.Header().Get("Retry-After"); got == "" {
t.Fatal("expected Retry-After header on 429 response")
}
if got := w3.Header().Get("X-RateLimit-Limit"); got != "2" {
t.Fatalf("expected X-RateLimit-Limit=2 on 429, got %q", got)
}
if got := w3.Header().Get("X-RateLimit-Remaining"); got != "0" {
t.Fatalf("expected X-RateLimit-Remaining=0 on 429, got %q", got)
}
if got := w3.Header().Get("X-RateLimit-Reset"); got == "" {
t.Fatal("expected X-RateLimit-Reset on 429 response")
}
var resp api.Response[any]
if err := json.Unmarshal(w3.Body.Bytes(), &resp); err != nil {
t.Fatalf("unmarshal error: %v", err)
}
if resp.Success {
t.Fatal("expected Success=false for rate limited response")
}
if resp.Error == nil || resp.Error.Code != "rate_limit_exceeded" {
t.Fatalf("expected rate_limit_exceeded error, got %+v", resp.Error)
}
}
func TestWithRateLimit_Good_IsolatesPerIP(t *testing.T) {
gin.SetMode(gin.TestMode)
e, _ := api.New(api.WithRateLimit(1))
e.Register(&rateLimitTestGroup{})
h := e.Handler()
w1 := httptest.NewRecorder()
req1, _ := http.NewRequest(http.MethodGet, "/rate/ping", nil)
req1.RemoteAddr = "203.0.113.10:1234"
h.ServeHTTP(w1, req1)
if w1.Code != http.StatusOK {
t.Fatalf("expected first IP to succeed, got %d", w1.Code)
}
if got := w1.Header().Get("X-RateLimit-Limit"); got != "1" {
t.Fatalf("expected X-RateLimit-Limit=1, got %q", got)
}
w2 := httptest.NewRecorder()
req2, _ := http.NewRequest(http.MethodGet, "/rate/ping", nil)
req2.RemoteAddr = "203.0.113.11:1234"
h.ServeHTTP(w2, req2)
if w2.Code != http.StatusOK {
t.Fatalf("expected second IP to have its own bucket, got %d", w2.Code)
}
}
func TestWithRateLimit_Good_IsolatesPerAPIKey(t *testing.T) {
gin.SetMode(gin.TestMode)
e, _ := api.New(api.WithRateLimit(1))
e.Register(&rateLimitTestGroup{})
h := e.Handler()
w1 := httptest.NewRecorder()
req1, _ := http.NewRequest(http.MethodGet, "/rate/ping", nil)
req1.RemoteAddr = "203.0.113.20:1234"
req1.Header.Set("X-API-Key", "key-a")
h.ServeHTTP(w1, req1)
if w1.Code != http.StatusOK {
t.Fatalf("expected first API key request to succeed, got %d", w1.Code)
}
w2 := httptest.NewRecorder()
req2, _ := http.NewRequest(http.MethodGet, "/rate/ping", nil)
req2.RemoteAddr = "203.0.113.20:1234"
req2.Header.Set("X-API-Key", "key-b")
h.ServeHTTP(w2, req2)
if w2.Code != http.StatusOK {
t.Fatalf("expected second API key to have its own bucket, got %d", w2.Code)
}
w3 := httptest.NewRecorder()
req3, _ := http.NewRequest(http.MethodGet, "/rate/ping", nil)
req3.RemoteAddr = "203.0.113.20:1234"
req3.Header.Set("X-API-Key", "key-a")
h.ServeHTTP(w3, req3)
if w3.Code != http.StatusTooManyRequests {
t.Fatalf("expected repeated API key to be rate limited, got %d", w3.Code)
}
}
func TestWithRateLimit_Good_UsesBearerTokenWhenPresent(t *testing.T) {
gin.SetMode(gin.TestMode)
e, _ := api.New(api.WithRateLimit(1))
e.Register(&rateLimitTestGroup{})
h := e.Handler()
w1 := httptest.NewRecorder()
req1, _ := http.NewRequest(http.MethodGet, "/rate/ping", nil)
req1.RemoteAddr = "203.0.113.30:1234"
req1.Header.Set("Authorization", "Bearer token-a")
h.ServeHTTP(w1, req1)
if w1.Code != http.StatusOK {
t.Fatalf("expected first bearer token request to succeed, got %d", w1.Code)
}
w2 := httptest.NewRecorder()
req2, _ := http.NewRequest(http.MethodGet, "/rate/ping", nil)
req2.RemoteAddr = "203.0.113.30:1234"
req2.Header.Set("Authorization", "Bearer token-b")
h.ServeHTTP(w2, req2)
if w2.Code != http.StatusOK {
t.Fatalf("expected second bearer token to have its own bucket, got %d", w2.Code)
}
w3 := httptest.NewRecorder()
req3, _ := http.NewRequest(http.MethodGet, "/rate/ping", nil)
req3.RemoteAddr = "203.0.113.30:1234"
req3.Header.Set("Authorization", "Bearer token-a")
h.ServeHTTP(w3, req3)
if w3.Code != http.StatusTooManyRequests {
t.Fatalf("expected repeated bearer token to be rate limited, got %d", w3.Code)
}
}
func TestWithRateLimit_Good_RefillsOverTime(t *testing.T) {
gin.SetMode(gin.TestMode)
e, _ := api.New(api.WithRateLimit(1))
e.Register(&rateLimitTestGroup{})
h := e.Handler()
req, _ := http.NewRequest(http.MethodGet, "/rate/ping", nil)
req.RemoteAddr = "203.0.113.12:1234"
w1 := httptest.NewRecorder()
h.ServeHTTP(w1, req.Clone(req.Context()))
if w1.Code != http.StatusOK {
t.Fatalf("expected first request to succeed, got %d", w1.Code)
}
w2 := httptest.NewRecorder()
req2 := req.Clone(req.Context())
req2.RemoteAddr = req.RemoteAddr
h.ServeHTTP(w2, req2)
if w2.Code != http.StatusTooManyRequests {
t.Fatalf("expected second request to be rate limited, got %d", w2.Code)
}
time.Sleep(1100 * time.Millisecond)
w3 := httptest.NewRecorder()
req3 := req.Clone(req.Context())
req3.RemoteAddr = req.RemoteAddr
h.ServeHTTP(w3, req3)
if w3.Code != http.StatusOK {
t.Fatalf("expected bucket to refill after waiting, got %d", w3.Code)
}
}
func TestWithRateLimit_Ugly_NonPositiveLimitDisablesMiddleware(t *testing.T) {
gin.SetMode(gin.TestMode)
e, _ := api.New(api.WithRateLimit(0))
e.Register(&rateLimitTestGroup{})
h := e.Handler()
for i := 0; i < 3; i++ {
w := httptest.NewRecorder()
req, _ := http.NewRequest(http.MethodGet, "/rate/ping", nil)
req.RemoteAddr = "203.0.113.13:1234"
h.ServeHTTP(w, req)
if w.Code != http.StatusOK {
t.Fatalf("expected request %d to succeed with disabled limiter, got %d", i+1, w.Code)
}
}
}