profile: rate-limit test for POST /profile/password

Exceeding the per-IP attempt cap within the window returns 429. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 21:58:46 +02:00 · 2026-05-11 21:58:46 +02:00 · 224b023ca0
commit 224b023ca0
parent 47722dbb19
1 changed files with 27 additions and 0 deletions
--- a/l4d2web/tests/test_profile.py
+++ b/l4d2web/tests/test_profile.py
@ -231,3 +231,30 @@ def test_new_password_works_for_login(app_and_user):
    )
    assert response.status_code == 302
    assert response.headers["Location"].endswith("/dashboard")
+
+
+def test_post_password_rate_limited(app_and_user):
+    from l4d2web.routes.profile_routes import (
+        PROFILE_PW_RATE_LIMIT_MAX_ATTEMPTS,
+        reset_profile_password_rate_limits,
+    )
+    reset_profile_password_rate_limits()
+
+    app, uid, marker = app_and_user
+    client = _logged_in_client(app, uid, marker)
+
+    for _ in range(PROFILE_PW_RATE_LIMIT_MAX_ATTEMPTS):
+        _post_pw(
+            client,
+            current_password="WRONG",
+            new_password="newpass12",
+            confirm_new_password="newpass12",
+        )
+
+    blocked = _post_pw(
+        client,
+        current_password="WRONG",
+        new_password="newpass12",
+        confirm_new_password="newpass12",
+    )
+    assert blocked.status_code == 429