FIX: Rate limit and hijack certificate generation. (#8215)

To eliminate a DDOS attack vector, we're taking the following measures: The endpoint will be rate-limited to 3 requests every 60 seconds (per user). A 24 hours max-age cache header is sent with the response. The route will be hijacked to generate the certificate in the background.
2025-05-23 06:51:27 +08:00 · 2019-10-21 13:14:15 -03:00
parent d5121e5ddb
commit 835d2be4da
4 changed files with 53 additions and 39 deletions
--- a/plugins/discourse-narrative-bot/spec/lib/certificate_generator_spec.rb
+++ b/plugins/discourse-narrative-bot/spec/lib/certificate_generator_spec.rb
@ -4,10 +4,12 @@ require 'rails_helper'

 RSpec.describe DiscourseNarrativeBot::CertificateGenerator do
  let(:user) { Fabricate(:user) }
+  let(:avatar_url) { 'http://test.localhost/cdn/avatar.png' }
+  let(:date) { "2017-00-10" }

  describe 'when an invalid date is given' do
    it 'should default to the current date' do
-      expect { described_class.new(user, "2017-00-10") }.to_not raise_error
+      expect { described_class.new(user, date, avatar_url) }.to_not raise_error
    end
  end

@ -19,7 +21,7 @@ RSpec.describe DiscourseNarrativeBot::CertificateGenerator do
      end

      it 'should not try to fetch a image' do
-        expect(described_class.new(user, "2017-02-10").send(:logo_group, 1, 1, 1))
+        expect(described_class.new(user, date, avatar_url).send(:logo_group, 1, 1, 1))
          .to eq(nil)
      end
    end