SECURITY: do cookie auth rate limiting earlier

2025-05-22 07:53:49 +08:00 · 2016-08-09 10:02:18 +10:00
parent 277e7383f3
commit 5cc8bb535b
2 changed files with 16 additions and 2 deletions
--- a/spec/components/auth/default_current_user_provider_spec.rb
+++ b/spec/components/auth/default_current_user_provider_spec.rb
@ -86,6 +86,10 @@ describe Auth::DefaultCurrentUserProvider do
  end

  it "can only try 10 bad cookies a minute" do
+
+    user = Fabricate(:user)
+    provider('/').log_on_user(user, {}, {})
+
    RateLimiter.stubs(:disabled?).returns(false)

    RateLimiter.new(nil, "cookie_auth_10.0.0.1", 10, 60).clear!
@ -97,10 +101,16 @@ describe Auth::DefaultCurrentUserProvider do
    10.times do
      provider('/', env).current_user
    end
+
    expect {
      provider('/', env).current_user
    }.to raise_error(Discourse::InvalidAccess)

+    expect {
+      env["HTTP_COOKIE"] = "_t=#{user.auth_token}"
+      provider("/", env).current_user
+    }.to raise_error(Discourse::InvalidAccess)
+
    env["REMOTE_ADDR"] = "10.0.0.2"
    provider('/', env).current_user
  end