mirror/php-flarum
1
0
Fork 0
mirror of https://github.com/flarum/core.git synced 2025-08-05 07:57:46 +02:00
Code Issues Releases Wiki Activity

feat: throttle email change, email confirmation, and password reset endpoints. (#3555)

Browse Source 
* chore: move post throttler to separate class
* feat: throttle email change requests
* feat: throttle email activation requests
* feat: throttle password resets for logged-in users
* docs: comment new throttlers
This commit is contained in:
Sami Mazouz
2022-07-30 07:18:51 +01:00
committed by GitHub
parent 021793fc52
commit f610f8aa67
9 changed files with 386 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
framework/core/tests/integration/api/users/SendActivationEmailTest.php Normal file
View File

@@ -0,0 +1,67 @@
<?php
/*
* This file is part of Flarum.
*
* For detailed copyright and license information, please view the
* LICENSE file that was distributed with this source code.
*/
namespace Flarum\Tests\integration\api\users;
use Carbon\Carbon;
use Flarum\Testing\integration\TestCase;
use Flarum\User\Throttler\EmailActivationThrottler;
class SendActivationEmailTest extends TestCase
{
protected function setUp(): void
{
parent::setUp();
$this->prepareDatabase([
'users' => [
[
'id' => 3,
'username' => 'normal2',
'password' => '$2y$10$LO59tiT7uggl6Oe23o/O6.utnF6ipngYjvMvaxo1TciKqBttDNKim', // BCrypt hash for "too-obscure"
'email' => 'normal2@machine.local',
'is_email_confirmed' => 0,
'last_seen_at' => Carbon::now()->subSecond(),
],
]
]);
}
/** @test */
public function users_can_send_confirmation_emails_in_moderate_intervals()
{
for ($i = 0; $i < 2; $i++) {
$response = $this->send(
$this->request('POST', '/api/users/3/send-confirmation', [
'authenticatedAs' => 3,
])
);
// We don't want to delay tests too long.
EmailActivationThrottler::$timeout = 5;
sleep(EmailActivationThrottler::$timeout + 1);
}
$this->assertEquals(204, $response->getStatusCode());
}
/** @test */
public function users_cant_send_confirmation_emails_too_fast()
{
for ($i = 0; $i < 2; $i++) {
$response = $this->send(
$this->request('POST', '/api/users/3/send-confirmation', [
'authenticatedAs' => 3,
])
);
}
$this->assertEquals(429, $response->getStatusCode());
}
}

73
framework/core/tests/integration/api/users/SendPasswordResetEmailTest.php Normal file
View File

@@ -0,0 +1,73 @@
<?php
/*
* This file is part of Flarum.
*
* For detailed copyright and license information, please view the
* LICENSE file that was distributed with this source code.
*/
namespace Flarum\Tests\integration\api\users;
use Carbon\Carbon;
use Flarum\Testing\integration\TestCase;
use Flarum\User\Throttler\PasswordResetThrottler;
class SendPasswordResetEmailTest extends TestCase
{
protected function setUp(): void
{
parent::setUp();
$this->prepareDatabase([
'users' => [
[
'id' => 3,
'username' => 'normal2',
'password' => '$2y$10$LO59tiT7uggl6Oe23o/O6.utnF6ipngYjvMvaxo1TciKqBttDNKim', // BCrypt hash for "too-obscure"
'email' => 'normal2@machine.local',
'is_email_confirmed' => 0,
'last_seen_at' => Carbon::now()->subSecond(),
],
]
]);
}
/** @test */
public function users_can_send_password_reset_emails_in_moderate_intervals()
{
for ($i = 0; $i < 2; $i++) {
$response = $this->send(
$this->request('POST', '/api/forgot', [
'authenticatedAs' => 3,
'json' => [
'email' => 'normal2@machine.local'
]
])
);
// We don't want to delay tests too long.
PasswordResetThrottler::$timeout = 5;
sleep(PasswordResetThrottler::$timeout + 1);
}
$this->assertEquals(204, $response->getStatusCode());
}
/** @test */
public function users_cant_send_confirmation_emails_too_fast()
{
for ($i = 0; $i < 2; $i++) {
$response = $this->send(
$this->request('POST', '/api/forgot', [
'authenticatedAs' => 3,
'json' => [
'email' => 'normal2@machine.local'
]
])
);
}
$this->assertEquals(429, $response->getStatusCode());
}
}

57
framework/core/tests/integration/api/users/UpdateTest.php
View File

@@ -12,6 +12,7 @@ namespace Flarum\Tests\integration\api\users;
use Carbon\Carbon;
use Flarum\Testing\integration\RetrievesAuthorizedUsers;
use Flarum\Testing\integration\TestCase;
use Flarum\User\Throttler\EmailChangeThrottler;
use Flarum\User\User;
class UpdateTest extends TestCase
@@ -156,6 +157,62 @@ class UpdateTest extends TestCase
$this->assertEquals(200, $response->getStatusCode());
}
/**
* @test
*/
public function users_can_request_email_change_in_moderate_intervals()
{
for ($i = 0; $i < 2; $i++) {
$response = $this->send(
$this->request('PATCH', '/api/users/3', [
'authenticatedAs' => 3,
'json' => [
'data' => [
'attributes' => [
'email' => 'someOtherEmail@example.com',
]
],
'meta' => [
'password' => 'too-obscure'
]
],
])
);
// We don't want to delay tests too long.
EmailChangeThrottler::$timeout = 5;
sleep(EmailChangeThrottler::$timeout + 1);
}
$this->assertEquals(200, $response->getStatusCode());
}
/**
* @test
*/
public function users_cant_request_email_change_too_fast()
{
for ($i = 0; $i < 2; $i++) {
$response = $this->send(
$this->request('PATCH', '/api/users/3', [
'authenticatedAs' => 3,
'json' => [
'data' => [
'attributes' => [
'email' => 'someOtherEmail@example.com',
]
],
'meta' => [
'password' => 'too-obscure'
]
],
])
);
}
$this->assertEquals(429, $response->getStatusCode());
}
/**
* @test
*/