profile: rate-limit test for POST /profile/password
Exceeding the per-IP attempt cap within the window returns 429. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
mwiegand
parent
47722dbb19
commit
224b023ca0
1 changed files with 27 additions and 0 deletions
|
|
@ -231,3 +231,30 @@ def test_new_password_works_for_login(app_and_user):
|
||||||
)
|
)
|
||||||
assert response.status_code == 302
|
assert response.status_code == 302
|
||||||
assert response.headers["Location"].endswith("/dashboard")
|
assert response.headers["Location"].endswith("/dashboard")
|
||||||
|
|
||||||
|
|
||||||
|
def test_post_password_rate_limited(app_and_user):
|
||||||
|
from l4d2web.routes.profile_routes import (
|
||||||
|
PROFILE_PW_RATE_LIMIT_MAX_ATTEMPTS,
|
||||||
|
reset_profile_password_rate_limits,
|
||||||
|
)
|
||||||
|
reset_profile_password_rate_limits()
|
||||||
|
|
||||||
|
app, uid, marker = app_and_user
|
||||||
|
client = _logged_in_client(app, uid, marker)
|
||||||
|
|
||||||
|
for _ in range(PROFILE_PW_RATE_LIMIT_MAX_ATTEMPTS):
|
||||||
|
_post_pw(
|
||||||
|
client,
|
||||||
|
current_password="WRONG",
|
||||||
|
new_password="newpass12",
|
||||||
|
confirm_new_password="newpass12",
|
||||||
|
)
|
||||||
|
|
||||||
|
blocked = _post_pw(
|
||||||
|
client,
|
||||||
|
current_password="WRONG",
|
||||||
|
new_password="newpass12",
|
||||||
|
confirm_new_password="newpass12",
|
||||||
|
)
|
||||||
|
assert blocked.status_code == 429
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue