mirror of
https://github.com/coollabsio/coolify.git
synced 2025-12-28 05:34:50 +00:00
rate limit test
This commit is contained in:
Andras Bacsai
parent
6d6f3e9de7
commit
ae9f348458
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
58
tests/Feature/LoginRateLimitIPTest.php
Normal file
58
tests/Feature/LoginRateLimitIPTest.php
Normal file
@ -0,0 +1,58 @@
|
||||
<?php
|
||||
|
||||
it('tests login rate limiting with different IPs like the Python script', function () {
|
||||
// Create a test route that mimics login behavior
|
||||
// We'll directly test the rate limiter behavior
|
||||
|
||||
$baseUrl = '/login';
|
||||
$email = 'grumpinout+admin@wearehackerone.com';
|
||||
|
||||
// First, get a CSRF token by visiting the login page
|
||||
$loginPageResponse = $this->get($baseUrl);
|
||||
$loginPageResponse->assertSuccessful();
|
||||
|
||||
// Extract CSRF token using regex similar to Python script
|
||||
preg_match('/name="_token"\s+value="([^"]+)"/', $loginPageResponse->getContent(), $matches);
|
||||
$token = $matches[1] ?? null;
|
||||
|
||||
expect($token)->not->toBeNull('CSRF token should be found');
|
||||
|
||||
// Test 14 login attempts with different IPs (like the Python script does 1-14)
|
||||
$results = [];
|
||||
for ($i = 1; $i <= 14; $i++) {
|
||||
$spoofedIp = "198.51.100.{$i}";
|
||||
|
||||
$response = $this->withHeader('X-Forwarded-For', $spoofedIp)
|
||||
->post($baseUrl, [
|
||||
'_token' => $token,
|
||||
'email' => $email,
|
||||
'password' => "WrongPass{$i}!",
|
||||
]);
|
||||
|
||||
$statusCode = $response->getStatusCode();
|
||||
$rateLimitLimit = $response->headers->get('X-RateLimit-Limit');
|
||||
$rateLimitRemaining = $response->headers->get('X-RateLimit-Remaining');
|
||||
|
||||
$results[$i] = [
|
||||
'ip' => $spoofedIp,
|
||||
'status' => $statusCode,
|
||||
'rate_limit' => $rateLimitLimit,
|
||||
'rate_limit_remaining' => $rateLimitRemaining,
|
||||
];
|
||||
|
||||
// Print output similar to Python script
|
||||
echo 'Attempt '.str_pad($i, 2, '0', STR_PAD_LEFT).": status=$statusCode, RL=$rateLimitLimit/$rateLimitRemaining\n";
|
||||
|
||||
// Add a small delay like the Python script (0.2 seconds)
|
||||
usleep(200000);
|
||||
}
|
||||
|
||||
// Verify results
|
||||
expect($results)->toHaveCount(14);
|
||||
|
||||
// Check that we got responses for all attempts
|
||||
foreach ($results as $i => $result) {
|
||||
expect($result['status'])->toBeGreaterThanOrEqual(200);
|
||||
expect($result['ip'])->toBe("198.51.100.{$i}");
|
||||
}
|
||||
});
|
||||
@ -1,167 +0,0 @@
|
||||
<?php
|
||||
|
||||
use Illuminate\Cache\RateLimiting\Limit;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Support\Facades\RateLimiter;
|
||||
|
||||
uses(\Tests\TestCase::class);
|
||||
|
||||
test('login rate limiter uses real IP not spoofable headers', function () {
|
||||
// Get the rate limiter for login
|
||||
$limiter = RateLimiter::limiter('login');
|
||||
|
||||
// Create a mock request with X-Forwarded-For header (attempt to spoof)
|
||||
$request = Request::create('/login', 'POST', [
|
||||
'email' => 'test@example.com',
|
||||
'password' => 'password',
|
||||
]);
|
||||
|
||||
// Set spoofed header
|
||||
$request->headers->set('X-Forwarded-For', '10.0.0.99');
|
||||
|
||||
// Set the real IP (REMOTE_ADDR)
|
||||
$request->server->set('REMOTE_ADDR', '192.168.1.1');
|
||||
|
||||
// Get the limit from the rate limiter
|
||||
$limit = $limiter($request);
|
||||
|
||||
expect($limit)->toBeInstanceOf(Limit::class);
|
||||
|
||||
// The key should be based on email + REMOTE_ADDR, not X-Forwarded-For
|
||||
// We can't directly inspect the key, but we can verify the behavior
|
||||
// by checking that the same REMOTE_ADDR is rate limited regardless of X-Forwarded-For
|
||||
|
||||
// Reset rate limiter for this test
|
||||
RateLimiter::clear('test@example.com192.168.1.1');
|
||||
|
||||
// Make 5 attempts with different X-Forwarded-For headers but same REMOTE_ADDR
|
||||
for ($i = 1; $i <= 5; $i++) {
|
||||
$testRequest = Request::create('/login', 'POST', [
|
||||
'email' => 'test@example.com',
|
||||
'password' => 'wrong',
|
||||
]);
|
||||
$testRequest->headers->set('X-Forwarded-For', "10.0.0.{$i}");
|
||||
$testRequest->server->set('REMOTE_ADDR', '192.168.1.1');
|
||||
|
||||
$available = RateLimiter::attempt(
|
||||
'test@example.com192.168.1.1',
|
||||
5,
|
||||
function () {},
|
||||
60
|
||||
);
|
||||
|
||||
if ($i < 5) {
|
||||
expect($available)->toBeTrue();
|
||||
}
|
||||
}
|
||||
|
||||
// 6th attempt should be rate limited
|
||||
$sixthRequest = Request::create('/login', 'POST', [
|
||||
'email' => 'test@example.com',
|
||||
'password' => 'wrong',
|
||||
]);
|
||||
$sixthRequest->headers->set('X-Forwarded-For', '10.0.0.6');
|
||||
$sixthRequest->server->set('REMOTE_ADDR', '192.168.1.1');
|
||||
|
||||
$available = RateLimiter::attempt(
|
||||
'test@example.com192.168.1.1',
|
||||
5,
|
||||
function () {},
|
||||
60
|
||||
);
|
||||
|
||||
expect($available)->toBeFalse();
|
||||
|
||||
// Cleanup
|
||||
RateLimiter::clear('test@example.com192.168.1.1');
|
||||
});
|
||||
|
||||
test('forgot-password rate limiter uses real IP not spoofable headers', function () {
|
||||
// Get the rate limiter for forgot-password
|
||||
$limiter = RateLimiter::limiter('forgot-password');
|
||||
|
||||
// Create a mock request with X-Forwarded-For header
|
||||
$request = Request::create('/forgot-password', 'POST', [
|
||||
'email' => 'test@example.com',
|
||||
]);
|
||||
|
||||
$request->headers->set('X-Forwarded-For', '10.0.0.99');
|
||||
$request->server->set('REMOTE_ADDR', '192.168.1.2');
|
||||
|
||||
$limit = $limiter($request);
|
||||
|
||||
expect($limit)->toBeInstanceOf(Limit::class);
|
||||
|
||||
// Reset for test
|
||||
RateLimiter::clear('192.168.1.2');
|
||||
|
||||
// Make 5 attempts
|
||||
for ($i = 1; $i <= 5; $i++) {
|
||||
$testRequest = Request::create('/forgot-password', 'POST');
|
||||
$testRequest->headers->set('X-Forwarded-For', "10.0.0.{$i}");
|
||||
$testRequest->server->set('REMOTE_ADDR', '192.168.1.2');
|
||||
|
||||
$available = RateLimiter::attempt(
|
||||
'192.168.1.2',
|
||||
5,
|
||||
function () {},
|
||||
60
|
||||
);
|
||||
|
||||
if ($i < 5) {
|
||||
expect($available)->toBeTrue();
|
||||
}
|
||||
}
|
||||
|
||||
// 6th attempt should fail
|
||||
$available = RateLimiter::attempt(
|
||||
'192.168.1.2',
|
||||
5,
|
||||
function () {},
|
||||
60
|
||||
);
|
||||
|
||||
expect($available)->toBeFalse();
|
||||
|
||||
// Cleanup
|
||||
RateLimiter::clear('192.168.1.2');
|
||||
});
|
||||
|
||||
test('different REMOTE_ADDR IPs are rate limited separately', function () {
|
||||
// Reset
|
||||
RateLimiter::clear('test@example.com192.168.1.3');
|
||||
RateLimiter::clear('test@example.com192.168.1.4');
|
||||
|
||||
// Make 5 attempts from first IP
|
||||
for ($i = 1; $i <= 5; $i++) {
|
||||
$available = RateLimiter::attempt(
|
||||
'test@example.com192.168.1.3',
|
||||
5,
|
||||
function () {},
|
||||
60
|
||||
);
|
||||
expect($available)->toBeTrue();
|
||||
}
|
||||
|
||||
// First IP should be rate limited now
|
||||
$available = RateLimiter::attempt(
|
||||
'test@example.com192.168.1.3',
|
||||
5,
|
||||
function () {},
|
||||
60
|
||||
);
|
||||
expect($available)->toBeFalse();
|
||||
|
||||
// Second IP should still have attempts available
|
||||
$available = RateLimiter::attempt(
|
||||
'test@example.com192.168.1.4',
|
||||
5,
|
||||
function () {},
|
||||
60
|
||||
);
|
||||
expect($available)->toBeTrue();
|
||||
|
||||
// Cleanup
|
||||
RateLimiter::clear('test@example.com192.168.1.3');
|
||||
RateLimiter::clear('test@example.com192.168.1.4');
|
||||
});
|
||||
Loading…
Reference in New Issue
Block a user