DEV: Move spec/components to spec/lib (#15987)

Lib specs were inexplicably split into two directories (`lib` and `components`) This moves them all into `lib`.
2025-05-30 15:28:37 +08:00 · 2022-02-18 19:41:54 +01:00
parent cf545be338
commit 45cc16098d
199 changed files with 0 additions and 0 deletions
--- a/spec/lib/auth/default_current_user_provider_spec.rb
+++ b/spec/lib/auth/default_current_user_provider_spec.rb
@ -0,0 +1,743 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe Auth::DefaultCurrentUserProvider do
+  # careful using fab! here is can lead to an erratic test
+  # we want a distinct user object per test so last_seen_at is
+  # handled correctly
+  let(:user) { Fabricate(:user) }
+
+  class TestProvider < Auth::DefaultCurrentUserProvider
+    attr_reader :env
+    def initialize(env)
+      super(env)
+    end
+
+    def cookie_jar
+      @cookie_jar ||= ActionDispatch::Request.new(env).cookie_jar
+    end
+  end
+
+  def provider(url, opts = nil)
+    opts ||= { method: "GET" }
+    env = create_request_env(path: url).merge(opts)
+    TestProvider.new(env)
+  end
+
+  def get_cookie_info(cookie_jar, name)
+    headers = {}
+    cookie_jar.always_write_cookie = true
+    cookie_jar.write(headers)
+
+    header = headers["Set-Cookie"]
+    return if header.nil?
+
+    info = {}
+
+    line = header.split("\n").find { |l| l.start_with?("#{name}=") }
+    parts = line.split(";").map(&:strip)
+
+    info[:value] = parts.shift.split("=")[1]
+    parts.each do |p|
+      key, value = p.split("=")
+      info[key.downcase.to_sym] = value || true
+    end
+
+    info
+  end
+
+  it "can be used to pretend that a user doesn't exist" do
+    provider = TestProvider.new(create_request_env(path: "/"))
+    expect(provider.current_user).to eq(nil)
+  end
+
+  context "server header api" do
+    it "raises for a revoked key" do
+      api_key = ApiKey.create!
+      params = { "HTTP_API_USERNAME" => user.username.downcase, "HTTP_API_KEY" => api_key.key }
+      expect(
+        provider("/", params).current_user.id
+      ).to eq(user.id)
+
+      api_key.reload.update(revoked_at: Time.zone.now, last_used_at: nil)
+      expect(api_key.reload.last_used_at).to eq(nil)
+      params = { "HTTP_API_USERNAME" => user.username.downcase, "HTTP_API_KEY" => api_key.key }
+
+      expect {
+        provider("/", params).current_user
+      }.to raise_error(Discourse::InvalidAccess)
+
+      api_key.reload
+      expect(api_key.last_used_at).to eq(nil)
+    end
+
+    it "raises errors for incorrect api_key" do
+      params = { "HTTP_API_KEY" => "INCORRECT" }
+      expect {
+        provider("/", params).current_user
+      }.to raise_error(Discourse::InvalidAccess, /API username or key is invalid/)
+    end
+
+    it "finds a user for a correct per-user api key" do
+      api_key = ApiKey.create!(user_id: user.id, created_by_id: -1)
+      params = { "HTTP_API_KEY" => api_key.key }
+
+      good_provider = provider("/", params)
+
+      expect do
+        expect(good_provider.current_user.id).to eq(user.id)
+      end.to change { api_key.reload.last_used_at }
+
+      expect(good_provider.is_api?).to eq(true)
+      expect(good_provider.is_user_api?).to eq(false)
+      expect(good_provider.should_update_last_seen?).to eq(false)
+
+      user.update_columns(active: false)
+
+      expect {
+        provider("/", params).current_user
+      }.to raise_error(Discourse::InvalidAccess)
+
+      user.update_columns(active: true, suspended_till: 1.day.from_now)
+
+      expect {
+        provider("/", params).current_user
+      }.to raise_error(Discourse::InvalidAccess)
+    end
+
+    it "raises for a user pretending" do
+      user2 = Fabricate(:user)
+      api_key = ApiKey.create!(user_id: user.id, created_by_id: -1)
+      params = { "HTTP_API_KEY" => api_key.key, "HTTP_API_USERNAME" => user2.username.downcase }
+
+      expect {
+        provider("/", params).current_user
+      }.to raise_error(Discourse::InvalidAccess)
+    end
+
+    it "raises for a user with a mismatching ip" do
+      api_key = ApiKey.create!(user_id: user.id, created_by_id: -1, allowed_ips: ['10.0.0.0/24'])
+      params = {
+        "HTTP_API_KEY" => api_key.key,
+        "HTTP_API_USERNAME" => user.username.downcase,
+        "REMOTE_ADDR" => "10.1.0.1"
+      }
+
+      expect {
+        provider("/", params).current_user
+      }.to raise_error(Discourse::InvalidAccess)
+    end
+
+    it "allows a user with a matching ip" do
+      api_key = ApiKey.create!(user_id: user.id, created_by_id: -1, allowed_ips: ['100.0.0.0/24'])
+      params = {
+        "HTTP_API_KEY" => api_key.key,
+        "HTTP_API_USERNAME" => user.username.downcase,
+        "REMOTE_ADDR" => "100.0.0.22",
+      }
+
+      found_user = provider("/", params).current_user
+
+      expect(found_user.id).to eq(user.id)
+
+      params = {
+        "HTTP_API_KEY" => api_key.key,
+        "HTTP_API_USERNAME" => user.username.downcase,
+        "HTTP_X_FORWARDED_FOR" => "10.1.1.1, 100.0.0.22"
+      }
+
+      found_user = provider("/", params).current_user
+      expect(found_user.id).to eq(user.id)
+    end
+
+    it "finds a user for a correct system api key" do
+      api_key = ApiKey.create!(created_by_id: -1)
+      params = { "HTTP_API_KEY" => api_key.key, "HTTP_API_USERNAME" => user.username.downcase }
+      expect(provider("/", params).current_user.id).to eq(user.id)
+    end
+
+    it "raises for a mismatched api_key header and param username" do
+      api_key = ApiKey.create!(created_by_id: -1)
+      params = { "HTTP_API_KEY" => api_key.key }
+      expect {
+        provider("/?api_username=#{user.username.downcase}", params).current_user
+      }.to raise_error(Discourse::InvalidAccess)
+    end
+
+    it "finds a user for a correct system api key with external id" do
+      api_key = ApiKey.create!(created_by_id: -1)
+      SingleSignOnRecord.create(user_id: user.id, external_id: "abc", last_payload: '')
+      params = { "HTTP_API_KEY" => api_key.key, "HTTP_API_USER_EXTERNAL_ID" => "abc" }
+      expect(provider("/", params).current_user.id).to eq(user.id)
+    end
+
+    it "raises for a mismatched api_key header and param external id" do
+      api_key = ApiKey.create!(created_by_id: -1)
+      SingleSignOnRecord.create(user_id: user.id, external_id: "abc", last_payload: '')
+      params = { "HTTP_API_KEY" => api_key.key }
+      expect {
+        provider("/?api_user_external_id=abc", params).current_user
+      }.to raise_error(Discourse::InvalidAccess)
+    end
+
+    it "finds a user for a correct system api key with id" do
+      api_key = ApiKey.create!(created_by_id: -1)
+      params = { "HTTP_API_KEY" => api_key.key, "HTTP_API_USER_ID" => user.id }
+      expect(provider("/", params).current_user.id).to eq(user.id)
+    end
+
+    it "raises for a mismatched api_key header and param user id" do
+      api_key = ApiKey.create!(created_by_id: -1)
+      params = { "HTTP_API_KEY" => api_key.key }
+      expect {
+        provider("/?api_user_id=#{user.id}", params).current_user
+      }.to raise_error(Discourse::InvalidAccess)
+    end
+
+    describe "when readonly mode is enabled due to postgres" do
+      before do
+        Discourse.enable_readonly_mode(Discourse::PG_READONLY_MODE_KEY)
+      end
+
+      after do
+        Discourse.disable_readonly_mode(Discourse::PG_READONLY_MODE_KEY)
+      end
+
+      it "should not update ApiKey#last_used_at" do
+        api_key = ApiKey.create!(user_id: user.id, created_by_id: -1)
+        params = { "HTTP_API_KEY" => api_key.key }
+
+        good_provider = provider("/", params)
+
+        expect do
+          expect(good_provider.current_user.id).to eq(user.id)
+        end.to_not change { api_key.reload.last_used_at }
+      end
+    end
+
+    context "rate limiting" do
+      before do
+        RateLimiter.enable
+      end
+
+      it "rate limits admin api requests" do
+        global_setting :max_admin_api_reqs_per_minute, 3
+
+        freeze_time
+        RateLimiter.new(nil, "admin_api_min", 3, 60).clear!
+
+        api_key = ApiKey.create!(created_by_id: -1)
+        params = { "HTTP_API_KEY" => api_key.key, "HTTP_API_USERNAME" => user.username.downcase }
+        system_params = params.merge("HTTP_API_USERNAME" => "system")
+
+        provider("/", params).current_user
+        provider("/", system_params).current_user
+        provider("/", params).current_user
+
+        expect do
+          provider("/", system_params).current_user
+        end.to raise_error(RateLimiter::LimitExceeded)
+
+        freeze_time 59.seconds.from_now
+
+        expect do
+          provider("/", system_params).current_user
+        end.to raise_error(RateLimiter::LimitExceeded)
+
+        freeze_time 2.seconds.from_now
+
+        # 1 minute elapsed
+        provider("/", system_params).current_user
+
+        # should not rate limit a random key
+        api_key.destroy
+        api_key = ApiKey.create!(created_by_id: -1)
+        params = { "HTTP_API_KEY" => api_key.key, "HTTP_API_USERNAME" => user.username.downcase }
+        provider("/", params).current_user
+      end
+    end
+  end
+
+  describe "#current_user" do
+    let(:cookie) do
+      new_provider = provider('/')
+      new_provider.log_on_user(user, {}, new_provider.cookie_jar)
+      new_provider.cookie_jar["_t"]
+    end
+
+    before do
+      @orig = freeze_time
+      user.clear_last_seen_cache!(@orig)
+    end
+
+    after do
+      user.clear_last_seen_cache!(@orig)
+    end
+
+    it "should not update last seen for suspended users" do
+      provider2 = provider("/", "HTTP_COOKIE" => "_t=#{cookie}")
+      u = provider2.current_user
+      u.reload
+      expect(u.last_seen_at).to eq_time(Time.zone.now)
+
+      freeze_time 20.minutes.from_now
+
+      u.last_seen_at = nil
+      u.suspended_till = 1.year.from_now
+      u.save!
+
+      u.clear_last_seen_cache!
+
+      provider2 = provider("/", "HTTP_COOKIE" => "_t=#{cookie}")
+      expect(provider2.current_user).to eq(nil)
+
+      u.reload
+      expect(u.last_seen_at).to eq(nil)
+    end
+
+    describe "when readonly mode is enabled due to postgres" do
+      before do
+        Discourse.enable_readonly_mode(Discourse::PG_READONLY_MODE_KEY)
+      end
+
+      after do
+        Discourse.disable_readonly_mode(Discourse::PG_READONLY_MODE_KEY)
+      end
+
+      it "should not update User#last_seen_at" do
+        provider2 = provider("/", "HTTP_COOKIE" => "_t=#{cookie}")
+        u = provider2.current_user
+        u.reload
+        expect(u.last_seen_at).to eq(nil)
+      end
+    end
+  end
+
+  it "should update last seen for non ajax" do
+    expect(provider("/topic/anything/goes", method: "POST").should_update_last_seen?).to eq(true)
+    expect(provider("/topic/anything/goes", method: "GET").should_update_last_seen?).to eq(true)
+  end
+
+  it "should update ajax reqs with discourse visible" do
+    expect(provider("/topic/anything/goes",
+                    :method => "POST",
+                    "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest",
+                    "HTTP_DISCOURSE_PRESENT" => "true"
+          ).should_update_last_seen?).to eq(true)
+  end
+
+  it "should not update last seen for ajax calls without Discourse-Present header" do
+    expect(provider("/topic/anything/goes",
+                    :method => "POST",
+                    "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest"
+          ).should_update_last_seen?).to eq(false)
+  end
+
+  it "should update last seen for API calls with Discourse-Present header" do
+    api_key = ApiKey.create!(user_id: user.id, created_by_id: -1)
+    params = { :method => "POST",
+               "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest",
+               "HTTP_API_KEY" => api_key.key
+              }
+
+    expect(provider("/topic/anything/goes", params).should_update_last_seen?).to eq(false)
+    expect(provider("/topic/anything/goes", params.merge("HTTP_DISCOURSE_PRESENT" => "true")).should_update_last_seen?).to eq(true)
+  end
+
+  it "supports non persistent sessions" do
+    SiteSetting.persistent_sessions = false
+
+    @provider = provider('/')
+    @provider.log_on_user(user, {}, @provider.cookie_jar)
+
+    cookie_info = get_cookie_info(@provider.cookie_jar, "_t")
+    expect(cookie_info[:expires]).to eq(nil)
+  end
+
+  it "v0 of auth cookie is still acceptable" do
+    token = UserAuthToken.generate!(user_id: user.id).unhashed_auth_token
+    ip = "10.0.0.1"
+    env = { "HTTP_COOKIE" => "_t=#{token}", "REMOTE_ADDR" => ip }
+    expect(provider('/', env).current_user.id).to eq(user.id)
+  end
+
+  it "correctly rotates tokens" do
+    SiteSetting.maximum_session_age = 3
+    @provider = provider('/')
+    @provider.log_on_user(user, {}, @provider.cookie_jar)
+
+    cookie = @provider.cookie_jar["_t"]
+    unhashed_token = decrypt_auth_cookie(cookie)[:token]
+
+    token = UserAuthToken.find_by(user_id: user.id)
+
+    expect(token.auth_token_seen).to eq(false)
+    expect(token.auth_token).not_to eq(unhashed_token)
+    expect(token.auth_token).to eq(UserAuthToken.hash_token(unhashed_token))
+
+    # at this point we are going to try to rotate token
+    freeze_time 20.minutes.from_now
+
+    provider2 = provider("/", "HTTP_COOKIE" => "_t=#{cookie}")
+    provider2.current_user
+
+    token.reload
+    expect(token.auth_token_seen).to eq(true)
+
+    provider2.refresh_session(user, {}, provider2.cookie_jar)
+    expect(
+      decrypt_auth_cookie(provider2.cookie_jar["_t"])[:token]
+    ).not_to eq(unhashed_token)
+    expect(
+      decrypt_auth_cookie(provider2.cookie_jar["_t"])[:token].size
+    ).to eq(32)
+
+    token.reload
+    expect(token.auth_token_seen).to eq(false)
+
+    freeze_time 21.minutes.from_now
+
+    old_token = token.prev_auth_token
+    unverified_token = token.auth_token
+
+    # old token should still work
+    provider2 = provider("/", "HTTP_COOKIE" => "_t=#{cookie}")
+    expect(provider2.current_user.id).to eq(user.id)
+
+    provider2.refresh_session(user, {}, provider2.cookie_jar)
+
+    token.reload
+
+    # because this should cause a rotation since we can safely
+    # assume it never reached the client
+    expect(token.prev_auth_token).to eq(old_token)
+    expect(token.auth_token).not_to eq(unverified_token)
+
+  end
+
+  context "events" do
+    before do
+      @refreshes = 0
+
+      @increase_refreshes = -> (user) { @refreshes += 1 }
+      DiscourseEvent.on(:user_session_refreshed, &@increase_refreshes)
+    end
+
+    after do
+      DiscourseEvent.off(:user_session_refreshed, &@increase_refreshes)
+    end
+
+    it "fires event when updating last seen" do
+      @provider = provider('/')
+      @provider.log_on_user(user, {}, @provider.cookie_jar)
+      cookie = @provider.cookie_jar["_t"]
+      unhashed_token = decrypt_auth_cookie(cookie)[:token]
+      freeze_time 20.minutes.from_now
+      provider2 = provider("/", "HTTP_COOKIE" => "_t=#{cookie}")
+      provider2.refresh_session(user, {}, provider2.cookie_jar)
+      expect(@refreshes).to eq(1)
+    end
+
+    it "does not fire an event when last seen does not update" do
+      @provider = provider('/')
+      @provider.log_on_user(user, {}, @provider.cookie_jar)
+      cookie = @provider.cookie_jar["_t"]
+      unhashed_token = decrypt_auth_cookie(cookie)[:token]
+      freeze_time 2.minutes.from_now
+      provider2 = provider("/", "HTTP_COOKIE" => "_t=#{cookie}")
+      provider2.refresh_session(user, {}, provider2.cookie_jar)
+      expect(@refreshes).to eq(0)
+    end
+  end
+
+  context "rate limiting" do
+
+    before do
+      RateLimiter.enable
+    end
+
+    it "can only try 10 bad cookies a minute" do
+      token = UserAuthToken.generate!(user_id: user.id)
+      cookie = create_auth_cookie(
+        token: token.unhashed_auth_token,
+        user_id: user.id,
+        trust_level: user.trust_level,
+        issued_at: 5.minutes.ago
+      )
+
+      @provider = provider('/')
+      @provider.log_on_user(user, {}, @provider.cookie_jar)
+
+      RateLimiter.new(nil, "cookie_auth_10.0.0.1", 10, 60).clear!
+      RateLimiter.new(nil, "cookie_auth_10.0.0.2", 10, 60).clear!
+
+      ip = "10.0.0.1"
+      bad_cookie = create_auth_cookie(
+        token: SecureRandom.hex,
+        user_id: user.id,
+        trust_level: user.trust_level,
+        issued_at: 5.minutes.ago,
+      )
+
+      env = { "HTTP_COOKIE" => "_t=#{bad_cookie}", "REMOTE_ADDR" => ip }
+
+      10.times do
+        provider('/', env).current_user
+      end
+
+      expect {
+        provider('/', env).current_user
+      }.to raise_error(Discourse::InvalidAccess)
+
+      expect {
+        env["HTTP_COOKIE"] = "_t=#{cookie}"
+        provider("/", env).current_user
+      }.to raise_error(Discourse::InvalidAccess)
+
+      env["REMOTE_ADDR"] = "10.0.0.2"
+
+      expect {
+        provider('/', env).current_user
+      }.not_to raise_error
+    end
+  end
+
+  it "correctly removes invalid cookies" do
+    bad_cookie = create_auth_cookie(
+      token: SecureRandom.hex,
+      user_id: 1,
+      trust_level: 4,
+      issued_at: 5.minutes.ago,
+    )
+    @provider = provider('/')
+    @provider.cookie_jar["_t"] = bad_cookie
+    @provider.refresh_session(nil, {}, @provider.cookie_jar)
+    expect(@provider.cookie_jar.key?("_t")).to eq(false)
+  end
+
+  it "logging on user always creates a new token" do
+    @provider = provider('/')
+    @provider.log_on_user(user, {}, @provider.cookie_jar)
+    @provider2 = provider('/')
+    @provider2.log_on_user(user, {}, @provider2.cookie_jar)
+
+    expect(UserAuthToken.where(user_id: user.id).count).to eq(2)
+  end
+
+  it "cleans up old sessions when a user logs in" do
+    yesterday = 1.day.ago
+
+    UserAuthToken.insert_all((1..(UserAuthToken::MAX_SESSION_COUNT + 2)).to_a.map do |i|
+      {
+        user_id: user.id,
+        created_at: yesterday + i.seconds,
+        updated_at: yesterday + i.seconds,
+        rotated_at: yesterday + i.seconds,
+        prev_auth_token: "abc#{i}",
+        auth_token: "abc#{i}"
+      }
+    end)
+
+    # Check the oldest 3 still exist
+    expect(UserAuthToken.where(auth_token: (1..3).map { |i| "abc#{i}" }).count).to eq(3)
+
+    # On next login, gets fixed
+    @provider = provider('/')
+    @provider.log_on_user(user, {}, @provider.cookie_jar)
+    expect(UserAuthToken.where(user_id: user.id).count).to eq(UserAuthToken::MAX_SESSION_COUNT)
+
+    # Oldest sessions are 1, 2, 3. They should now be deleted
+    expect(UserAuthToken.where(auth_token: (1..3).map { |i| "abc#{i}" }).count).to eq(0)
+  end
+
+  it "sets secure, same site lax cookies" do
+    SiteSetting.force_https = false
+    SiteSetting.same_site_cookies = "Lax"
+
+    @provider = provider('/')
+    @provider.log_on_user(user, {}, @provider.cookie_jar)
+
+    cookie_info = get_cookie_info(@provider.cookie_jar, "_t")
+    expect(cookie_info[:samesite]).to eq("Lax")
+    expect(cookie_info[:httponly]).to eq(true)
+    expect(cookie_info.key?(:secure)).to eq(false)
+
+    SiteSetting.force_https = true
+    SiteSetting.same_site_cookies = "Disabled"
+
+    @provider = provider('/')
+    @provider.log_on_user(user, {}, @provider.cookie_jar)
+
+    cookie_info = get_cookie_info(@provider.cookie_jar, "_t")
+    expect(cookie_info[:secure]).to eq(true)
+    expect(cookie_info.key?(:same_site)).to eq(false)
+  end
+
+  it "correctly expires session" do
+    SiteSetting.maximum_session_age = 2
+    token = UserAuthToken.generate!(user_id: user.id)
+    cookie = create_auth_cookie(
+      token: token.unhashed_auth_token,
+      user_id: user.id,
+      trust_level: user.trust_level,
+      issued_at: 5.minutes.ago
+    )
+
+    @provider = provider('/')
+    @provider.log_on_user(user, {}, @provider.cookie_jar)
+
+    expect(provider("/", "HTTP_COOKIE" => "_t=#{cookie}").current_user.id).to eq(user.id)
+
+    freeze_time 3.hours.from_now
+    expect(provider("/", "HTTP_COOKIE" => "_t=#{cookie}").current_user).to eq(nil)
+  end
+
+  it "always unstage users" do
+    user.update!(staged: true)
+    @provider = provider("/")
+    @provider.log_on_user(user, {}, @provider.cookie_jar)
+    user.reload
+    expect(user.staged).to eq(false)
+  end
+
+  context "user api" do
+    fab! :user do
+      Fabricate(:user)
+    end
+
+    let :api_key do
+      UserApiKey.create!(
+        application_name: 'my app',
+        client_id: '1234',
+        scopes: ['read'].map { |name| UserApiKeyScope.new(name: name) },
+        user_id: user.id
+      )
+    end
+
+    it "can clear old duplicate keys correctly" do
+      dupe = UserApiKey.create!(
+        application_name: 'my app',
+        client_id: '12345',
+        scopes: ['read'].map { |name| UserApiKeyScope.new(name: name) },
+        user_id: user.id
+      )
+
+      params = {
+        "REQUEST_METHOD" => "GET",
+        "HTTP_USER_API_KEY" => api_key.key,
+        "HTTP_USER_API_CLIENT_ID" => dupe.client_id,
+      }
+
+      good_provider = provider("/", params)
+      expect(good_provider.current_user.id).to eq(user.id)
+      expect(UserApiKey.find_by(id: dupe.id)).to eq(nil)
+    end
+
+    it "allows user API access correctly" do
+      params = {
+        "REQUEST_METHOD" => "GET",
+        "HTTP_USER_API_KEY" => api_key.key,
+      }
+
+      good_provider = provider("/", params)
+
+      expect do
+        expect(good_provider.current_user.id).to eq(user.id)
+      end.to change { api_key.reload.last_used_at }
+
+      expect(good_provider.is_api?).to eq(false)
+      expect(good_provider.is_user_api?).to eq(true)
+      expect(good_provider.should_update_last_seen?).to eq(false)
+
+      expect {
+        provider("/", params.merge("REQUEST_METHOD" => "POST")).current_user
+      }.to raise_error(Discourse::InvalidAccess)
+
+      user.update_columns(suspended_till: 1.year.from_now)
+
+      expect {
+        provider("/", params).current_user
+      }.to raise_error(Discourse::InvalidAccess)
+    end
+
+    describe "when readonly mode is enabled due to postgres" do
+      before do
+        Discourse.enable_readonly_mode(Discourse::PG_READONLY_MODE_KEY)
+      end
+
+      after do
+        Discourse.disable_readonly_mode(Discourse::PG_READONLY_MODE_KEY)
+      end
+
+      it 'should not update ApiKey#last_used_at' do
+        params = {
+          "REQUEST_METHOD" => "GET",
+          "HTTP_USER_API_KEY" => api_key.key,
+        }
+
+        good_provider = provider("/", params)
+
+        expect do
+          expect(good_provider.current_user.id).to eq(user.id)
+        end.to_not change { api_key.reload.last_used_at }
+      end
+    end
+
+    context "rate limiting" do
+
+      before do
+        RateLimiter.enable
+      end
+
+      it "rate limits api usage" do
+        limiter1 = RateLimiter.new(nil, "user_api_day_#{ApiKey.hash_key(api_key.key)}", 10, 60)
+        limiter2 = RateLimiter.new(nil, "user_api_min_#{ApiKey.hash_key(api_key.key)}", 10, 60)
+        limiter1.clear!
+        limiter2.clear!
+
+        global_setting :max_user_api_reqs_per_day, 3
+        global_setting :max_user_api_reqs_per_minute, 4
+
+        params = {
+          "REQUEST_METHOD" => "GET",
+          "HTTP_USER_API_KEY" => api_key.key,
+        }
+
+        3.times do
+          provider("/", params).current_user
+        end
+
+        expect {
+          provider("/", params).current_user
+        }.to raise_error(RateLimiter::LimitExceeded)
+
+        global_setting :max_user_api_reqs_per_day, 4
+        global_setting :max_user_api_reqs_per_minute, 3
+
+        limiter1.clear!
+        limiter2.clear!
+
+        3.times do
+          provider("/", params).current_user
+        end
+
+        expect {
+          provider("/", params).current_user
+        }.to raise_error(RateLimiter::LimitExceeded)
+      end
+    end
+  end
+
+  it "ignores a valid auth cookie that has been tampered with" do
+    @provider = provider('/')
+    @provider.log_on_user(user, {}, @provider.cookie_jar)
+
+    cookie = @provider.cookie_jar["_t"]
+    cookie = swap_2_different_characters(cookie)
+
+    ip = "10.0.0.1"
+    env = { "HTTP_COOKIE" => "_t=#{cookie}", "REMOTE_ADDR" => ip }
+    expect(provider('/', env).current_user).to eq(nil)
+  end
+end