-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LG-12712 Use phone fingerprint as rate limit key for phone confirmation #10459
Changes from 26 commits
6c9f694
16ebd44
97b0596
d1a73e9
7802e47
4f3a121
bda810a
546ca7c
c013074
500e098
3730833
57dbca5
a37aae9
f2ef5b9
839626d
deb8d9a
f8e8474
48e60c3
7307e18
c16519f
934a6cd
53b187c
d1c9be8
5233d20
dcfb36a
650baf8
b67eadd
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -234,6 +234,41 @@ | |||||
expect(subject.user_session[:context]).to eq 'confirmation' | ||||||
end | ||||||
end | ||||||
|
||||||
context 'with rate phone fingerprint rate limit' do | ||||||
before do | ||||||
@user = create(:user) | ||||||
@user2 = create(:user) | ||||||
@unconfirmed_phone = '+1 (202) 555-1213' | ||||||
@unconfirmed_phone2 = '+1 (202) 555-1215' | ||||||
end | ||||||
it 'displays an error banner' do | ||||||
sign_in_before_2fa(@user) | ||||||
allow(IdentityConfig.store).to receive(:otp_delivery_blocklist_maxretry).and_return(999) | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this necessary? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not at all, apparently. It would be useful for hammering at the phone submissions limiter and not wanting to hit that other limit it seems. Isn't a problem here. Removed. |
||||||
allow(IdentityConfig.store).to receive( | ||||||
:phone_submissions_per_fingerprint_max_attempts_window_in_minutes, | ||||||
).and_return(10) | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We could make the test run a little faster if we reduced this a bit so it's not looping as many times in the loop that follows.
Suggested change
|
||||||
IdentityConfig.store.phone_submissions_per_fingerprint_limit.times do | ||||||
post(:create, params: { new_phone_form: { phone: @unconfirmed_phone } }) | ||||||
end | ||||||
|
||||||
expect(flash[:error]).to eq( | ||||||
t('errors.messages.phone_confirmation_limited', timeout: '9 minutes'), | ||||||
) | ||||||
|
||||||
travel_to(5.minutes.from_now) do | ||||||
sign_in_before_2fa(@user2) | ||||||
post(:create, params: { new_phone_form: { phone: @unconfirmed_phone } }) | ||||||
expect(flash[:error]).to eq( | ||||||
t('errors.messages.phone_confirmation_limited', timeout: '5 minutes'), | ||||||
) | ||||||
end | ||||||
|
||||||
sign_in_before_2fa(@user) | ||||||
post(:create, params: { new_phone_form: { phone: @unconfirmed_phone2 } }) | ||||||
expect(flash[:error]).to eq(nil) | ||||||
end | ||||||
end | ||||||
end | ||||||
|
||||||
describe 'before_actions' do | ||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we're not using this anywhere outside the scope of this method, I don't think we need to assign it as an instance variable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That makes sense. 👍