From 224b023ca06c55dc95f928eedadacf6129ff089d Mon Sep 17 00:00:00 2001
From: mwiegand <martin.wiegand@seibert.group>
Date: Mon, 11 May 2026 21:58:46 +0200
Subject: [PATCH] profile: rate-limit test for POST /profile/password

Exceeding the per-IP attempt cap within the window returns 429.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 l4d2web/tests/test_profile.py | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/l4d2web/tests/test_profile.py b/l4d2web/tests/test_profile.py
index 0189321..98fdf96 100644
--- a/l4d2web/tests/test_profile.py
+++ b/l4d2web/tests/test_profile.py
@@ -231,3 +231,30 @@ def test_new_password_works_for_login(app_and_user):
     )
     assert response.status_code == 302
     assert response.headers["Location"].endswith("/dashboard")
+
+
+def test_post_password_rate_limited(app_and_user):
+    from l4d2web.routes.profile_routes import (
+        PROFILE_PW_RATE_LIMIT_MAX_ATTEMPTS,
+        reset_profile_password_rate_limits,
+    )
+    reset_profile_password_rate_limits()
+
+    app, uid, marker = app_and_user
+    client = _logged_in_client(app, uid, marker)
+
+    for _ in range(PROFILE_PW_RATE_LIMIT_MAX_ATTEMPTS):
+        _post_pw(
+            client,
+            current_password="WRONG",
+            new_password="newpass12",
+            confirm_new_password="newpass12",
+        )
+
+    blocked = _post_pw(
+        client,
+        current_password="WRONG",
+        new_password="newpass12",
+        confirm_new_password="newpass12",
+    )
+    assert blocked.status_code == 429