password_reset_spec.rb 1.5 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe 'User endpoint', authenticated_as: false, type: :request do
  4. context 'when user resets password once' do
  5. it 'creates a token' do
  6. expect do
  7. post api_v1_users_password_reset_path, params: { username: create(:user).login }
  8. end.to change(Token, :count)
  9. end
  10. it 'returns success' do
  11. post api_v1_users_password_reset_path, params: { username: create(:user).login }
  12. expect(response).to have_http_status(:ok)
  13. end
  14. end
  15. # For the throttling, see config/initializers/rack_attack.rb.
  16. context 'when user resets password more than throttle allows', :rack_attack do
  17. let(:static_username) { create(:user).login }
  18. let(:static_ipv4) { Faker::Internet.ip_v4_address }
  19. it 'blocks due to username throttling (multiple IPs)' do
  20. 4.times do
  21. post api_v1_users_password_reset_path, params: { username: static_username }, headers: { 'X-Forwarded-For': Faker::Internet.ip_v4_address }
  22. end
  23. expect(response).to have_http_status(:too_many_requests)
  24. end
  25. it 'blocks due to source IP address throttling (multiple usernames)' do
  26. 4.times do
  27. # Ensure throttling even on modified path.
  28. post "#{api_v1_users_password_reset_path}.json", params: { username: create(:user).login }, headers: { 'X-Forwarded-For': static_ipv4 }
  29. end
  30. expect(response).to have_http_status(:too_many_requests)
  31. end
  32. end
  33. end