PeerTube/server/tests/api/server/reverse-proxy.ts

/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */

import { expect } from 'chai'
import { wait } from '@shared/core-utils'
import { HttpStatusCode } from '@shared/models'
import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers } from '@shared/server-commands'

describe('Test application behind a reverse proxy', function () {
  let server: PeerTubeServer
  let userAccessToken: string
  let videoId: string

  before(async function () {
    this.timeout(60000)

    const config = {
      rates_limit: {
        api: {
          max: 50,
          window: 5000
        },
        signup: {
          max: 3,
          window: 5000
        },
        login: {
          max: 20
        }
      },
      signup: {
        limit: 20
      }
    }

    server = await createSingleServer(1, config)
    await setAccessTokensToServers([ server ])

    userAccessToken = await server.users.generateUserAndToken('user')

    const { uuid } = await server.videos.upload()
    videoId = uuid
  })

  it('Should view a video only once with the same IP by default', async function () {
    this.timeout(40000)

    await server.views.simulateView({ id: videoId })
    await server.views.simulateView({ id: videoId })

    // Wait the repeatable job
    await wait(8000)

    const video = await server.videos.get({ id: videoId })
    expect(video.views).to.equal(1)
  })

  it('Should view a video 2 times with the X-Forwarded-For header set', async function () {
    this.timeout(20000)

    await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.1,127.0.0.1' })
    await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.2,127.0.0.1' })

    // Wait the repeatable job
    await wait(8000)

    const video = await server.videos.get({ id: videoId })
    expect(video.views).to.equal(3)
  })

  it('Should view a video only once with the same client IP in the X-Forwarded-For header', async function () {
    this.timeout(20000)

    await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.4,0.0.0.3,::ffff:127.0.0.1' })
    await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.5,0.0.0.3,127.0.0.1' })

    // Wait the repeatable job
    await wait(8000)

    const video = await server.videos.get({ id: videoId })
    expect(video.views).to.equal(4)
  })

  it('Should view a video two times with a different client IP in the X-Forwarded-For header', async function () {
    this.timeout(20000)

    await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.8,0.0.0.6,127.0.0.1' })
    await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.8,0.0.0.7,127.0.0.1' })

    // Wait the repeatable job
    await wait(8000)

    const video = await server.videos.get({ id: videoId })
    expect(video.views).to.equal(6)
  })

  it('Should rate limit logins', async function () {
    const user = { username: 'root', password: 'fail' }

    for (let i = 0; i < 18; i++) {
      await server.login.login({ user, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
    }

    await server.login.login({ user, expectedStatus: HttpStatusCode.TOO_MANY_REQUESTS_429 })
  })

  it('Should rate limit signup', async function () {
    for (let i = 0; i < 10; i++) {
      try {
        await server.users.register({ username: 'test' + i })
      } catch {
        // empty
      }
    }

    await server.users.register({ username: 'test42', expectedStatus: HttpStatusCode.TOO_MANY_REQUESTS_429 })
  })

  it('Should not rate limit failed signup', async function () {
    this.timeout(30000)

    await wait(7000)

    for (let i = 0; i < 3; i++) {
      await server.users.register({ username: 'test' + i, expectedStatus: HttpStatusCode.CONFLICT_409 })
    }

    await server.users.register({ username: 'test43', expectedStatus: HttpStatusCode.NO_CONTENT_204 })

  })

  it('Should rate limit API calls', async function () {
    this.timeout(30000)

    await wait(7000)

    for (let i = 0; i < 100; i++) {
      try {
        await server.videos.get({ id: videoId })
      } catch {
        // don't care if it fails
      }
    }

    await server.videos.get({ id: videoId, expectedStatus: HttpStatusCode.TOO_MANY_REQUESTS_429 })
  })

  it('Should rate limit API calls with a user but not with an admin', async function () {
    await server.videos.get({ id: videoId, token: userAccessToken, expectedStatus: HttpStatusCode.TOO_MANY_REQUESTS_429 })

    await server.videos.get({ id: videoId, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })
  })

  after(async function () {
    await cleanupTests([ server ])
  })
})
Move to eslint 2020-01-31 09:56:52 -06:00			`/* eslint-disable @typescript-eslint/no-unused-expressions,@typescript-eslint/require-await */`
Prevent brute force login attack 2018-03-29 03:58:24 -05:00
Introduce login command 2021-07-13 04:05:15 -05:00			`import { expect } from 'chai'`
Move test functions outside extra-utils 2021-12-17 04:58:15 -06:00			`import { wait } from '@shared/core-utils'`
Reorganize imports 2021-07-16 07:27:30 -05:00			`import { HttpStatusCode } from '@shared/models'`
Move test functions outside extra-utils 2021-12-17 04:58:15 -06:00			`import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServers } from '@shared/server-commands'`
Prevent brute force login attack 2018-03-29 03:58:24 -05:00
			`describe('Test application behind a reverse proxy', function () {`
Use an object to represent a server 2021-07-16 02:47:51 -05:00			`let server: PeerTubeServer`
Bypass rate limits for admins and moderators 2022-05-30 04:33:38 -05:00			`let userAccessToken: string`
Introduce videos command 2021-07-15 03:02:54 -05:00			`let videoId: string`
Prevent brute force login attack 2018-03-29 03:58:24 -05:00
			`before(async function () {`
Increase test timeouts 2022-09-12 01:29:01 -05:00			`this.timeout(60000)`
Add rate limit to registration and API endpoints 2019-07-04 09:42:40 -05:00
			`const config = {`
			`rates_limit: {`
			`api: {`
			`max: 50,`
			`window: 5000`
			`},`
			`signup: {`
			`max: 3,`
			`window: 5000`
			`},`
			`login: {`
			`max: 20`
			`}`
			`},`
			`signup: {`
			`limit: 20`
			`}`
			`}`

Use an object to represent a server 2021-07-16 02:47:51 -05:00			`server = await createSingleServer(1, config)`
Prevent brute force login attack 2018-03-29 03:58:24 -05:00			`await setAccessTokensToServers([ server ])`

Bypass rate limits for admins and moderators 2022-05-30 04:33:38 -05:00			`userAccessToken = await server.users.generateUserAndToken('user')`

Shorter server command names 2021-07-16 02:04:35 -05:00			`const { uuid } = await server.videos.upload()`
Introduce videos command 2021-07-15 03:02:54 -05:00			`videoId = uuid`
Prevent brute force login attack 2018-03-29 03:58:24 -05:00			`})`

			`it('Should view a video only once with the same IP by default', async function () {`
Increase test timeouts 2022-09-12 01:29:01 -05:00			`this.timeout(40000)`
Bufferize videos views in redis 2018-08-29 09:26:25 -05:00
Support video views/viewers stats in server * Add "currentTime" and "event" body params to view endpoint * Merge watching and view endpoints * Introduce WatchAction AP activity * Add tables to store viewer information of local videos * Add endpoints to fetch video views/viewers stats of local videos * Refactor views/viewers handlers * Support "views" and "viewers" counters for both VOD and live videos 2022-03-24 07:36:47 -05:00			`await server.views.simulateView({ id: videoId })`
			`await server.views.simulateView({ id: videoId })`
Prevent brute force login attack 2018-03-29 03:58:24 -05:00
Bufferize videos views in redis 2018-08-29 09:26:25 -05:00			`// Wait the repeatable job`
			`await wait(8000)`

Shorter server command names 2021-07-16 02:04:35 -05:00			`const video = await server.videos.get({ id: videoId })`
Introduce videos command 2021-07-15 03:02:54 -05:00			`expect(video.views).to.equal(1)`
Prevent brute force login attack 2018-03-29 03:58:24 -05:00			`})`

			`it('Should view a video 2 times with the X-Forwarded-For header set', async function () {`
Bufferize videos views in redis 2018-08-29 09:26:25 -05:00			`this.timeout(20000)`

Support video views/viewers stats in server * Add "currentTime" and "event" body params to view endpoint * Merge watching and view endpoints * Introduce WatchAction AP activity * Add tables to store viewer information of local videos * Add endpoints to fetch video views/viewers stats of local videos * Refactor views/viewers handlers * Support "views" and "viewers" counters for both VOD and live videos 2022-03-24 07:36:47 -05:00			`await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.1,127.0.0.1' })`
			`await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.2,127.0.0.1' })`
Prevent brute force login attack 2018-03-29 03:58:24 -05:00
Bufferize videos views in redis 2018-08-29 09:26:25 -05:00			`// Wait the repeatable job`
			`await wait(8000)`

Shorter server command names 2021-07-16 02:04:35 -05:00			`const video = await server.videos.get({ id: videoId })`
Introduce videos command 2021-07-15 03:02:54 -05:00			`expect(video.views).to.equal(3)`
Prevent brute force login attack 2018-03-29 03:58:24 -05:00			`})`

			`it('Should view a video only once with the same client IP in the X-Forwarded-For header', async function () {`
Bufferize videos views in redis 2018-08-29 09:26:25 -05:00			`this.timeout(20000)`

Support video views/viewers stats in server * Add "currentTime" and "event" body params to view endpoint * Merge watching and view endpoints * Introduce WatchAction AP activity * Add tables to store viewer information of local videos * Add endpoints to fetch video views/viewers stats of local videos * Refactor views/viewers handlers * Support "views" and "viewers" counters for both VOD and live videos 2022-03-24 07:36:47 -05:00			`await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.4,0.0.0.3,::ffff:127.0.0.1' })`
			`await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.5,0.0.0.3,127.0.0.1' })`
Prevent brute force login attack 2018-03-29 03:58:24 -05:00
Bufferize videos views in redis 2018-08-29 09:26:25 -05:00			`// Wait the repeatable job`
			`await wait(8000)`

Shorter server command names 2021-07-16 02:04:35 -05:00			`const video = await server.videos.get({ id: videoId })`
Introduce videos command 2021-07-15 03:02:54 -05:00			`expect(video.views).to.equal(4)`
Prevent brute force login attack 2018-03-29 03:58:24 -05:00			`})`

			`it('Should view a video two times with a different client IP in the X-Forwarded-For header', async function () {`
Bufferize videos views in redis 2018-08-29 09:26:25 -05:00			`this.timeout(20000)`

Support video views/viewers stats in server * Add "currentTime" and "event" body params to view endpoint * Merge watching and view endpoints * Introduce WatchAction AP activity * Add tables to store viewer information of local videos * Add endpoints to fetch video views/viewers stats of local videos * Refactor views/viewers handlers * Support "views" and "viewers" counters for both VOD and live videos 2022-03-24 07:36:47 -05:00			`await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.8,0.0.0.6,127.0.0.1' })`
			`await server.views.simulateView({ id: videoId, xForwardedFor: '0.0.0.8,0.0.0.7,127.0.0.1' })`
Prevent brute force login attack 2018-03-29 03:58:24 -05:00
Bufferize videos views in redis 2018-08-29 09:26:25 -05:00			`// Wait the repeatable job`
			`await wait(8000)`

Shorter server command names 2021-07-16 02:04:35 -05:00			`const video = await server.videos.get({ id: videoId })`
Introduce videos command 2021-07-15 03:02:54 -05:00			`expect(video.views).to.equal(6)`
Prevent brute force login attack 2018-03-29 03:58:24 -05:00			`})`

			`it('Should rate limit logins', async function () {`
			`const user = { username: 'root', password: 'fail' }`

Bypass rate limits for admins and moderators 2022-05-30 04:33:38 -05:00			`for (let i = 0; i < 18; i++) {`
Shorter server command names 2021-07-16 02:04:35 -05:00			`await server.login.login({ user, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })`
Prevent brute force login attack 2018-03-29 03:58:24 -05:00			`}`

Shorter server command names 2021-07-16 02:04:35 -05:00			`await server.login.login({ user, expectedStatus: HttpStatusCode.TOO_MANY_REQUESTS_429 })`
Prevent brute force login attack 2018-03-29 03:58:24 -05:00			`})`

Add rate limit to registration and API endpoints 2019-07-04 09:42:40 -05:00			`it('Should rate limit signup', async function () {`
Fix tests 2019-11-27 03:13:31 -06:00			`for (let i = 0; i < 10; i++) {`
			`try {`
Shorter server command names 2021-07-16 02:04:35 -05:00			`await server.users.register({ username: 'test' + i })`
Fix tests 2019-11-27 03:13:31 -06:00			`} catch {`
			`// empty`
			`}`
Add rate limit to registration and API endpoints 2019-07-04 09:42:40 -05:00			`}`

Shorter server command names 2021-07-16 02:04:35 -05:00			`await server.users.register({ username: 'test42', expectedStatus: HttpStatusCode.TOO_MANY_REQUESTS_429 })`
Add rate limit to registration and API endpoints 2019-07-04 09:42:40 -05:00			`})`

			`it('Should not rate limit failed signup', async function () {`
			`this.timeout(30000)`

			`await wait(7000)`

			`for (let i = 0; i < 3; i++) {`
Shorter server command names 2021-07-16 02:04:35 -05:00			`await server.users.register({ username: 'test' + i, expectedStatus: HttpStatusCode.CONFLICT_409 })`
Add rate limit to registration and API endpoints 2019-07-04 09:42:40 -05:00			`}`

Shorter server command names 2021-07-16 02:04:35 -05:00			`await server.users.register({ username: 'test43', expectedStatus: HttpStatusCode.NO_CONTENT_204 })`
Add rate limit to registration and API endpoints 2019-07-04 09:42:40 -05:00
			`})`

			`it('Should rate limit API calls', async function () {`
			`this.timeout(30000)`

			`await wait(7000)`

Try to fix tests 2019-09-24 03:19:55 -05:00			`for (let i = 0; i < 100; i++) {`
			`try {`
Shorter server command names 2021-07-16 02:04:35 -05:00			`await server.videos.get({ id: videoId })`
Try to fix tests 2019-09-24 03:19:55 -05:00			`} catch {`
			`// don't care if it fails`
			`}`
Add rate limit to registration and API endpoints 2019-07-04 09:42:40 -05:00			`}`

Shorter server command names 2021-07-16 02:04:35 -05:00			`await server.videos.get({ id: videoId, expectedStatus: HttpStatusCode.TOO_MANY_REQUESTS_429 })`
Add rate limit to registration and API endpoints 2019-07-04 09:42:40 -05:00			`})`

Bypass rate limits for admins and moderators 2022-05-30 04:33:38 -05:00			`it('Should rate limit API calls with a user but not with an admin', async function () {`
			`await server.videos.get({ id: videoId, token: userAccessToken, expectedStatus: HttpStatusCode.TOO_MANY_REQUESTS_429 })`

			`await server.videos.get({ id: videoId, token: server.accessToken, expectedStatus: HttpStatusCode.OK_200 })`
			`})`

Use test wrapper exit function 2019-04-24 08:10:37 -05:00			`after(async function () {`
			`await cleanupTests([ server ])`
Prevent brute force login attack 2018-03-29 03:58:24 -05:00			`})`
			`})`