AcadeNice/Wiki
1
0
Fork 0
Code Issues Pull requests Releases Activity Actions
Wiki/bridge/tests/middleware/rate-limit.test.ts
Corentin JOGUET 0cf6533885
Some checks are pending
CI / Lint bridge (Biome) (push) Waiting to run
Details
CI / Type-check bridge (push) Blocked by required conditions
Details
CI / Tests unit bridge (push) Blocked by required conditions
Details
CI / Tests integration bridge (push) Blocked by required conditions
Details
CI / Security scan (push) Waiting to run
Details
CI / Docker build + healthcheck (push) Blocked by required conditions
Details
feat(bridge): Bloc 5 rate limit + cache invalidation cote writes
2026-05-07 21:44:33 +02:00

286 lines
7.8 KiB
TypeScript
Raw Blame History

/**
* Tests rate limit middleware — fakes Redis.checkRateLimit pour observabilite.
*
* Pour les fenetres temporelles : pas de fake timers Vitest car
* RedisCache.checkRateLimit est mocke par fonction async ; on simule la reset
* en remplacant le mock entre les requetes (equivalent fonctionnel).
*/
import { Hono } from 'hono';
import { afterEach, describe, expect, it, vi } from 'vitest';
import { errorHandler } from '../../src/middleware/error-handler.js';
import {
type RateLimitDeps,
defaultRateLimitKey,
rateLimit,
} from '../../src/middleware/rate-limit.js';
interface FakeUser {
source: string;
tokenId?: string;
email?: string;
sub?: string;
roles: string[];
groups: string[];
scopes: string[];
}
function buildApp(
deps: RateLimitDeps,
opts: { max: number; window: number; keyFrom?: Parameters<typeof rateLimit>[1]['keyFrom'] },
presetUser?: FakeUser,
) {
const app = new Hono();
app.onError(errorHandler);
app.use('*', async (c, next) => {
if (presetUser) c.set('user' as never, presetUser as never);
await next();
});
app.use(
'*',
rateLimit(deps, {
maxRequests: opts.max,
windowSeconds: opts.window,
keyFrom: opts.keyFrom,
}),
);
app.get('/', (c) => c.text('ok'));
app.post('/mut', (c) => c.text('mut'));
return app;
}
class FakeLimiter {
public calls: Array<{ key: string; max: number; window: number }> = [];
// Map de (key) -> count vu jusqu'a maintenant. La fenetre n'est pas simulee :
// on remet a 0 manuellement entre les groupes de tests pour mimer l'expiry.
public counts = new Map<string, number>();
checkRateLimit = async (key: string, max: number, window: number): Promise<boolean> => {
this.calls.push({ key, max, window });
const next = (this.counts.get(key) ?? 0) + 1;
this.counts.set(key, next);
return next <= max;
};
reset(key: string) {
this.counts.set(key, 0);
}
}
describe('rateLimit middleware', () => {
afterEach(() => {
vi.restoreAllMocks();
});
it('autorise sous la limite, refuse au-dela avec 429 RATE_LIMITED', async () => {
const limiter = new FakeLimiter();
const app = buildApp(
limiter,
{ max: 2, window: 60 },
{
source: 'service-token',
tokenId: 'svc-A',
roles: [],
groups: [],
scopes: [],
},
);
const r1 = await app.request('/');
const r2 = await app.request('/');
const r3 = await app.request('/');
expect(r1.status).toBe(200);
expect(r2.status).toBe(200);
expect(r3.status).toBe(429);
const body = (await r3.json()) as {
error: { code: string; details?: { retry_after: number } };
};
expect(body.error.code).toBe('RATE_LIMITED');
expect(body.error.details?.retry_after).toBe(60);
expect(r3.headers.get('X-RateLimit-Limit')).toBe('2');
expect(r3.headers.get('X-RateLimit-Remaining')).toBe('0');
expect(r3.headers.get('X-RateLimit-Reset')).toBe('60');
});
it('reset apres windowSeconds (simulee via reset du compteur fake)', async () => {
const limiter = new FakeLimiter();
const app = buildApp(
limiter,
{ max: 1, window: 5 },
{
source: 'service-token',
tokenId: 'svc-B',
roles: [],
groups: [],
scopes: [],
},
);
const r1 = await app.request('/');
const r2 = await app.request('/');
expect(r1.status).toBe(200);
expect(r2.status).toBe(429);
// Simule l'expiry de la fenetre.
limiter.reset('token:svc-B');
const r3 = await app.request('/');
expect(r3.status).toBe(200);
});
it('compteurs global et mutation sont independants (cles distinctes en Redis)', async () => {
const limiter = new FakeLimiter();
const user: FakeUser = {
source: 'service-token',
tokenId: 'svc-C',
roles: [],
groups: [],
scopes: [],
};
const app = new Hono();
app.onError(errorHandler);
app.use('*', async (c, next) => {
c.set('user' as never, user as never);
await next();
});
app.use('*', rateLimit(limiter, { maxRequests: 5, windowSeconds: 60 }));
app.use(
'*',
rateLimit(limiter, {
maxRequests: 2,
windowSeconds: 60,
keyFrom: (c) => `${defaultRateLimitKey(c)}:mut`,
}),
);
app.post('/mut', (c) => c.text('ok'));
const r1 = await app.request('/mut', { method: 'POST' });
const r2 = await app.request('/mut', { method: 'POST' });
const r3 = await app.request('/mut', { method: 'POST' });
expect(r1.status).toBe(200);
expect(r2.status).toBe(200);
// 3eme : global = 3/5 OK, mutation = 3/2 KO -> 429.
expect(r3.status).toBe(429);
// Assertions sur les cles : deux compteurs distincts en Redis.
const keys = limiter.calls.map((c) => c.key);
expect(keys).toContain('token:svc-C');
expect(keys).toContain('token:svc-C:mut');
});
it('cle prioritaire : tokenId service-token avant tout', async () => {
const limiter = new FakeLimiter();
const app = buildApp(
limiter,
{ max: 5, window: 60 },
{
source: 'service-token',
tokenId: 'svc-D',
email: 'should-not-be-used@test',
sub: 'sub-x',
roles: [],
groups: [],
scopes: [],
},
);
await app.request('/');
expect(limiter.calls[0]?.key).toBe('token:svc-D');
});
it('cle email OIDC quand pas de tokenId', async () => {
const limiter = new FakeLimiter();
const app = buildApp(
limiter,
{ max: 5, window: 60 },
{
source: 'oidc-jwt',
email: 'Foo@Bar.IO',
sub: 'sub-y',
roles: [],
groups: [],
scopes: [],
},
);
await app.request('/');
// Email lower-case pour stabilite cross-casing.
expect(limiter.calls[0]?.key).toBe('email:foo@bar.io');
});
it('cle sub OIDC quand email absent', async () => {
const limiter = new FakeLimiter();
const app = buildApp(
limiter,
{ max: 5, window: 60 },
{
source: 'oidc-jwt',
sub: 'sub-z',
roles: [],
groups: [],
scopes: [],
},
);
await app.request('/');
expect(limiter.calls[0]?.key).toBe('sub:sub-z');
});
it('fallback IP via x-forwarded-for + warning logge', async () => {
const limiter = new FakeLimiter();
const app = new Hono();
app.onError(errorHandler);
app.use('*', rateLimit(limiter, { maxRequests: 5, windowSeconds: 60 }));
app.get('/', (c) => c.text('ok'));
await app.request('/', { headers: { 'x-forwarded-for': '203.0.113.5, 10.0.0.1' } });
// Premier IP (client le plus eloigne) extrait correctement.
expect(limiter.calls[0]?.key).toBe('ip:203.0.113.5');
});
it('fallback anonymous quand ni user ni IP', async () => {
const limiter = new FakeLimiter();
const app = new Hono();
app.onError(errorHandler);
app.use('*', rateLimit(limiter, { maxRequests: 5, windowSeconds: 60 }));
app.get('/', (c) => c.text('ok'));
await app.request('/');
expect(limiter.calls[0]?.key).toBe('anonymous');
});
it('keyFrom custom override la priorite par defaut', async () => {
const limiter = new FakeLimiter();
const app = buildApp(
limiter,
{ max: 5, window: 60, keyFrom: () => 'custom-key' },
{ source: 'service-token', tokenId: 'svc-E', roles: [], groups: [], scopes: [] },
);
await app.request('/');
expect(limiter.calls[0]?.key).toBe('custom-key');
});
it('appelle next() en cascade sans erreur quand sous la limite', async () => {
const limiter = new FakeLimiter();
const app = buildApp(
limiter,
{ max: 10, window: 60 },
{
source: 'service-token',
tokenId: 'svc-F',
roles: [],
groups: [],
scopes: [],
},
);
const res = await app.request('/');
expect(res.status).toBe(200);
expect(await res.text()).toBe('ok');
});
});
Reference in a new issue View git blame Copy permalink