akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity
Files
949eaa243db585d8fab3b2331a46c8c8ab48b648
Charon/tests/security-enforcement/rate-limit-enforcement.spec.ts
T
GitHub Actions f64e3feef8 chore: clean .gitignore cache
2026-01-26 19:22:05 +00:00

124 lines
4.0 KiB
TypeScript
Raw Blame History

/**
* Rate Limiting Enforcement Tests
*
* Tests that verify rate limiting configuration and expected behavior.
*
* NOTE: Actual rate limiting happens at Caddy layer. These tests verify
* the rate limiting configuration API and presets.
*
* Pattern: Toggle-On-Test-Toggle-Off
*
* @see /projects/Charon/docs/plans/current_spec.md - Rate Limit Enforcement Tests
*/
import { test, expect } from '@bgotink/playwright-coverage';
import { request } from '@playwright/test';
import type { APIRequestContext } from '@playwright/test';
import { STORAGE_STATE } from '../constants';
import {
getSecurityStatus,
setSecurityModuleEnabled,
captureSecurityState,
restoreSecurityState,
CapturedSecurityState,
} from '../utils/security-helpers';
test.describe('Rate Limit Enforcement', () => {
let requestContext: APIRequestContext;
let originalState: CapturedSecurityState;
test.beforeAll(async () => {
requestContext = await request.newContext({
baseURL: process.env.PLAYWRIGHT_BASE_URL || 'http://localhost:8080',
storageState: STORAGE_STATE,
});
// Capture original state
try {
originalState = await captureSecurityState(requestContext);
} catch (error) {
console.error('Failed to capture original security state:', error);
}
// Enable Cerberus (master toggle) first
try {
await setSecurityModuleEnabled(requestContext, 'cerberus', true);
console.log('✓ Cerberus enabled');
} catch (error) {
console.error('Failed to enable Cerberus:', error);
}
// Enable Rate Limiting
try {
await setSecurityModuleEnabled(requestContext, 'rateLimit', true);
console.log('✓ Rate Limiting enabled');
} catch (error) {
console.error('Failed to enable Rate Limiting:', error);
}
});
test.afterAll(async () => {
// Restore original state
if (originalState) {
try {
await restoreSecurityState(requestContext, originalState);
console.log('✓ Security state restored');
} catch (error) {
console.error('Failed to restore security state:', error);
// Emergency disable
try {
await setSecurityModuleEnabled(requestContext, 'rateLimit', false);
await setSecurityModuleEnabled(requestContext, 'cerberus', false);
} catch {
console.error('Emergency Rate Limit disable also failed');
}
}
}
await requestContext.dispose();
});
test('should verify rate limiting is enabled', async () => {
const status = await getSecurityStatus(requestContext);
expect(status.rate_limit.enabled).toBe(true);
expect(status.cerberus.enabled).toBe(true);
});
test('should return rate limit presets', async () => {
const response = await requestContext.get(
'/api/v1/security/rate-limit/presets'
);
expect(response.ok()).toBe(true);
const data = await response.json();
const presets = data.presets;
expect(Array.isArray(presets)).toBe(true);
// Presets should have expected structure
if (presets.length > 0) {
const preset = presets[0];
expect(preset.name || preset.id).toBeDefined();
}
});
test('should document threshold behavior when rate exceeded', async () => {
// Rate limiting enforcement happens at Caddy layer
// When threshold is exceeded, Caddy returns 429 Too Many Requests
//
// With rate limiting enabled:
// - Requests exceeding the configured rate per IP/path return 429
// - The response includes Retry-After header
//
// Direct API requests to backend bypass Caddy rate limiting
const status = await getSecurityStatus(requestContext);
expect(status.rate_limit.enabled).toBe(true);
// Document: When rate limiting is enabled and request goes through Caddy:
// - Requests exceeding threshold return 429 Too Many Requests
// - X-RateLimit-Limit, X-RateLimit-Remaining headers are included
console.log(
'Rate limiting configured - threshold enforcement active at Caddy layer'
);
});
});
Reference in New Issue View Git Blame Copy Permalink