nanodrop/tests/integration/auth-rate-limit.test.ts

import { describe, it, expect, beforeEach, afterEach } from 'vitest';
import { readFileSync } from 'fs';
import { createTestApp, type TestContext } from '../helpers/setup.ts';
import { createUser } from '../../src/db/users.ts';
import { hashPassword } from '../../src/services/auth.ts';

describe('per-IP rate limit on login routes', () => {
  let ctx: TestContext;

  beforeEach(async () => {
    ctx = createTestApp({
      loginRateLimitMax: 3,
      loginRateLimitWindowSeconds: 60,
      lockoutThreshold: 100, // disable lockout for this suite
      loginMinResponseMs: 0,
    });
    const hash = await hashPassword('correct-pw');
    createUser(ctx.db, { username: 'alice', passwordHash: hash });
  });

  afterEach(async () => {
    await ctx.app.close();
    ctx.cleanup();
  });

  async function loginRequest() {
    return ctx.app.inject({
      method: 'POST',
      url: '/api/v1/auth/login',
      headers: { 'content-type': 'application/json' },
      body: JSON.stringify({ username: 'alice', password: 'wrong' }),
    });
  }

  it('returns 429 once IP exceeds the per-route limit and logs AUTH_RATE_LIMITED', async () => {
    expect((await loginRequest()).statusCode).toBe(401);
    expect((await loginRequest()).statusCode).toBe(401);
    expect((await loginRequest()).statusCode).toBe(401);
    const fourth = await loginRequest();
    expect(fourth.statusCode).toBe(429);
    expect(fourth.json().error).toBe('Too many requests');

    // Wait for fire-and-forget log write
    await new Promise((r) => setTimeout(r, 50));
    const log = readFileSync(ctx.logFile, 'utf-8');
    expect(log).toMatch(/AUTH_RATE_LIMITED/);
    expect(log).toMatch(/route="\/api\/v1\/auth\/login"/);
  });

  it('does NOT throttle the file upload endpoint', async () => {
    // First, get a valid session
    const loginRes = await ctx.app.inject({
      method: 'POST',
      url: '/api/v1/auth/login',
      headers: { 'content-type': 'application/json' },
      body: JSON.stringify({ username: 'alice', password: 'correct-pw' }),
    });
    expect(loginRes.statusCode).toBe(200);
    const cookie = (loginRes.headers['set-cookie'] as string).split(';')[0].replace('token=', '');

    // Now hit /upload (GET) repeatedly past the login-route limit threshold
    for (let i = 0; i < 6; i++) {
      const r = await ctx.app.inject({
        method: 'GET',
        url: '/upload',
        cookies: { token: cookie },
      });
      expect(r.statusCode).toBe(200);
    }
  });
});