summaryrefslogtreecommitdiffstats
path: root/build
diff options
context:
space:
mode:
authorLukas Reschke <lukas@statuscode.ch>2017-04-12 20:32:48 +0200
committerLukas Reschke <lukas@statuscode.ch>2017-04-13 12:00:16 +0200
commit66835476b59b8be7593d4cfa03a51c4f265d7e26 (patch)
tree91770c8fe403da25af50e6336727ab55fe57cd27 /build
parent5505faa3d7b6f5a95f18fe5027355d700d69f396 (diff)
downloadnextcloud-server-66835476b59b8be7593d4cfa03a51c4f265d7e26.tar.gz
nextcloud-server-66835476b59b8be7593d4cfa03a51c4f265d7e26.zip
Add support for ratelimiting via annotations
This allows adding rate limiting via annotations to controllers, as one example: ``` @UserRateThrottle(limit=5, period=100) @AnonRateThrottle(limit=1, period=100) ``` Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'build')
-rw-r--r--build/integration/features/ratelimiting.feature58
1 files changed, 58 insertions, 0 deletions
diff --git a/build/integration/features/ratelimiting.feature b/build/integration/features/ratelimiting.feature
new file mode 100644
index 00000000000..bd8b2e30a73
--- /dev/null
+++ b/build/integration/features/ratelimiting.feature
@@ -0,0 +1,58 @@
+Feature: ratelimiting
+
+ Background:
+ Given user "user0" exists
+ Given As an "admin"
+ Given app "testing" is enabled
+
+ Scenario: Accessing a page with only an AnonRateThrottle as user
+ Given user "user0" exists
+ # First request should work
+ When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
+ Then the HTTP status code should be "200"
+ # Second one should fail
+ When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
+ Then the HTTP status code should be "429"
+ # After 11 seconds the next request should work
+ And Sleep for "11" seconds
+ When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
+ Then the HTTP status code should be "200"
+
+ Scenario: Accessing a page with only an AnonRateThrottle as guest
+ Given Sleep for "11" seconds
+ # First request should work
+ When requesting "/index.php/apps/testing/anonProtected" with "GET"
+ Then the HTTP status code should be "200"
+ # Second one should fail
+ When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
+ Then the HTTP status code should be "429"
+ # After 11 seconds the next request should work
+ And Sleep for "11" seconds
+ When requesting "/index.php/apps/testing/anonProtected" with "GET" using basic auth
+ Then the HTTP status code should be "200"
+
+ Scenario: Accessing a page with UserRateThrottle and AnonRateThrottle
+ # First request should work as guest
+ When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
+ Then the HTTP status code should be "200"
+ # Second request should fail as guest
+ When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
+ Then the HTTP status code should be "429"
+ # First request should work as user
+ When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
+ Then the HTTP status code should be "200"
+ # Second request should work as user
+ When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
+ Then the HTTP status code should be "200"
+ # Third request should work as user
+ When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
+ Then the HTTP status code should be "200"
+ # Fourth request should work as user
+ When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
+ Then the HTTP status code should be "200"
+ # Fifth request should work as user
+ When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET" using basic auth
+ Then the HTTP status code should be "200"
+ # Sixth request should fail as user
+ When requesting "/index.php/apps/testing/userAndAnonProtected" with "GET"
+ Then the HTTP status code should be "429"