/** * Tests rate limit middleware — fakes Redis.checkRateLimit pour observabilite. * * Pour les fenetres temporelles : pas de fake timers Vitest car * RedisCache.checkRateLimit est mocke par fonction async ; on simule la reset * en remplacant le mock entre les requetes (equivalent fonctionnel). */ import { Hono } from 'hono'; import { afterEach, describe, expect, it, vi } from 'vitest'; import { errorHandler } from '../../src/middleware/error-handler.js'; import { type RateLimitDeps, defaultRateLimitKey, rateLimit, } from '../../src/middleware/rate-limit.js'; interface FakeUser { source: string; tokenId?: string; email?: string; sub?: string; groups: string[]; permissions: string[]; scopes: string[]; } function buildApp( deps: RateLimitDeps, opts: { max: number; window: number; keyFrom?: Parameters[1]['keyFrom'] }, presetUser?: FakeUser, ) { const app = new Hono(); app.onError(errorHandler); app.use('*', async (c, next) => { if (presetUser) c.set('user' as never, presetUser as never); await next(); }); app.use( '*', rateLimit(deps, { maxRequests: opts.max, windowSeconds: opts.window, keyFrom: opts.keyFrom, }), ); app.get('/', (c) => c.text('ok')); app.post('/mut', (c) => c.text('mut')); return app; } class FakeLimiter { public calls: Array<{ key: string; max: number; window: number }> = []; // Map de (key) -> count vu jusqu'a maintenant. La fenetre n'est pas simulee : // on remet a 0 manuellement entre les groupes de tests pour mimer l'expiry. public counts = new Map(); checkRateLimit = async (key: string, max: number, window: number): Promise => { this.calls.push({ key, max, window }); const next = (this.counts.get(key) ?? 0) + 1; this.counts.set(key, next); return next <= max; }; reset(key: string) { this.counts.set(key, 0); } } describe('rateLimit middleware', () => { afterEach(() => { vi.restoreAllMocks(); }); it('autorise sous la limite, refuse au-dela avec 429 RATE_LIMITED', async () => { const limiter = new FakeLimiter(); const app = buildApp( limiter, { max: 2, window: 60 }, { source: 'service-token', tokenId: 'svc-A', permissions: [], groups: [], scopes: [], }, ); const r1 = await app.request('/'); const r2 = await app.request('/'); const r3 = await app.request('/'); expect(r1.status).toBe(200); expect(r2.status).toBe(200); expect(r3.status).toBe(429); const body = (await r3.json()) as { error: { code: string; details?: { retry_after: number } }; }; expect(body.error.code).toBe('RATE_LIMITED'); expect(body.error.details?.retry_after).toBe(60); expect(r3.headers.get('X-RateLimit-Limit')).toBe('2'); expect(r3.headers.get('X-RateLimit-Remaining')).toBe('0'); expect(r3.headers.get('X-RateLimit-Reset')).toBe('60'); }); it('reset apres windowSeconds (simulee via reset du compteur fake)', async () => { const limiter = new FakeLimiter(); const app = buildApp( limiter, { max: 1, window: 5 }, { source: 'service-token', tokenId: 'svc-B', permissions: [], groups: [], scopes: [], }, ); const r1 = await app.request('/'); const r2 = await app.request('/'); expect(r1.status).toBe(200); expect(r2.status).toBe(429); // Simule l'expiry de la fenetre. limiter.reset('token:svc-B'); const r3 = await app.request('/'); expect(r3.status).toBe(200); }); it('compteurs global et mutation sont independants (cles distinctes en Redis)', async () => { const limiter = new FakeLimiter(); const user: FakeUser = { source: 'service-token', tokenId: 'svc-C', permissions: [], groups: [], scopes: [], }; const app = new Hono(); app.onError(errorHandler); app.use('*', async (c, next) => { c.set('user' as never, user as never); await next(); }); app.use('*', rateLimit(limiter, { maxRequests: 5, windowSeconds: 60 })); app.use( '*', rateLimit(limiter, { maxRequests: 2, windowSeconds: 60, keyFrom: (c) => `${defaultRateLimitKey(c)}:mut`, }), ); app.post('/mut', (c) => c.text('ok')); const r1 = await app.request('/mut', { method: 'POST' }); const r2 = await app.request('/mut', { method: 'POST' }); const r3 = await app.request('/mut', { method: 'POST' }); expect(r1.status).toBe(200); expect(r2.status).toBe(200); // 3eme : global = 3/5 OK, mutation = 3/2 KO -> 429. expect(r3.status).toBe(429); // Assertions sur les cles : deux compteurs distincts en Redis. const keys = limiter.calls.map((c) => c.key); expect(keys).toContain('token:svc-C'); expect(keys).toContain('token:svc-C:mut'); }); it('cle prioritaire : tokenId service-token avant tout', async () => { const limiter = new FakeLimiter(); const app = buildApp( limiter, { max: 5, window: 60 }, { source: 'service-token', tokenId: 'svc-D', email: 'should-not-be-used@test', sub: 'sub-x', permissions: [], groups: [], scopes: [], }, ); await app.request('/'); expect(limiter.calls[0]?.key).toBe('token:svc-D'); }); it('cle email OIDC quand pas de tokenId', async () => { const limiter = new FakeLimiter(); const app = buildApp( limiter, { max: 5, window: 60 }, { source: 'oidc-jwt', email: 'Foo@Bar.IO', sub: 'sub-y', permissions: [], groups: [], scopes: [], }, ); await app.request('/'); // Email lower-case pour stabilite cross-casing. expect(limiter.calls[0]?.key).toBe('email:foo@bar.io'); }); it('cle sub OIDC quand email absent', async () => { const limiter = new FakeLimiter(); const app = buildApp( limiter, { max: 5, window: 60 }, { source: 'oidc-jwt', sub: 'sub-z', permissions: [], groups: [], scopes: [], }, ); await app.request('/'); expect(limiter.calls[0]?.key).toBe('sub:sub-z'); }); it('fallback IP via x-forwarded-for + warning logge', async () => { const limiter = new FakeLimiter(); const app = new Hono(); app.onError(errorHandler); app.use('*', rateLimit(limiter, { maxRequests: 5, windowSeconds: 60 })); app.get('/', (c) => c.text('ok')); await app.request('/', { headers: { 'x-forwarded-for': '203.0.113.5, 10.0.0.1' } }); // Premier IP (client le plus eloigne) extrait correctement. expect(limiter.calls[0]?.key).toBe('ip:203.0.113.5'); }); it('fallback anonymous quand ni user ni IP', async () => { const limiter = new FakeLimiter(); const app = new Hono(); app.onError(errorHandler); app.use('*', rateLimit(limiter, { maxRequests: 5, windowSeconds: 60 })); app.get('/', (c) => c.text('ok')); await app.request('/'); expect(limiter.calls[0]?.key).toBe('anonymous'); }); it('keyFrom custom override la priorite par defaut', async () => { const limiter = new FakeLimiter(); const app = buildApp( limiter, { max: 5, window: 60, keyFrom: () => 'custom-key' }, { source: 'service-token', tokenId: 'svc-E', permissions: [], groups: [], scopes: [] }, ); await app.request('/'); expect(limiter.calls[0]?.key).toBe('custom-key'); }); it('appelle next() en cascade sans erreur quand sous la limite', async () => { const limiter = new FakeLimiter(); const app = buildApp( limiter, { max: 10, window: 60 }, { source: 'service-token', tokenId: 'svc-F', permissions: [], groups: [], scopes: [], }, ); const res = await app.request('/'); expect(res.status).toBe(200); expect(await res.text()).toBe('ok'); }); });