Hugging Face's logo

Spaces:
jebin2
/
apigateway
Sleeping

App Files Community
apigateway / tests /test_rate_limiting.py
jebin2's picture
jebin2
ref
a42ab7e
raw
history blame contribute delete
12.6 kB
 """
Comprehensive Tests for Rate Limiting
Tests cover:
1. Rate limit enforcement
2. Window-based limiting
3. Per-IP and per-endpoint limiting
4. Rate limit expiry
5. Exceeded limit handling
6. Rate limit increment and reset
Uses mocked database and async testing.
"""
import pytest
from datetime import datetime, timedelta
from sqlalchemy import select
# ============================================================================
# 1. Rate Limit Basic Functionality Tests
# ============================================================================
class TestRateLimitBasics:
"""Test basic rate limiting functionality."""
@pytest.mark.asyncio
async def test_first_request_allowed(self, db_session):
"""First request within limit is allowed."""
from core.dependencies import check_rate_limit
result = await check_rate_limit(
db=db_session,
identifier="192.168.1.1",
endpoint="/auth/google",
limit=5,
window_minutes=15
)
assert result == True
@pytest.mark.asyncio
async def test_within_limit_allowed(self, db_session):
"""Requests within limit are allowed."""
from core.dependencies import check_rate_limit
# Make 3 requests (limit is 5)
for i in range(3):
result = await check_rate_limit(
db=db_session,
identifier="10.0.0.1",
endpoint="/auth/refresh",
limit=5,
window_minutes=15
)
assert result == True
@pytest.mark.asyncio
async def test_exceed_limit_blocked(self, db_session):
"""Requests exceeding limit are blocked."""
from core.dependencies import check_rate_limit
# Make exactly limit requests
for i in range(5):
await check_rate_limit(
db=db_session,
identifier="203.0.113.1",
endpoint="/api/test",
limit=5,
window_minutes=15
)
# Next request should be blocked
result = await check_rate_limit(
db=db_session,
identifier="203.0.113.1",
endpoint="/api/test",
limit=5,
window_minutes=15
)
assert result == False
# ============================================================================
# 2. Window-Based Limiting Tests
# ============================================================================
class TestWindowBasedLimiting:
"""Test time window-based rate limiting."""
@pytest.mark.asyncio
async def test_rate_limit_creates_window(self, db_session):
"""Rate limit creates time window entry."""
from core.dependencies import check_rate_limit
from core.models import RateLimit
await check_rate_limit(
db=db_session,
identifier="192.168.1.100",
endpoint="/test",
limit=10,
window_minutes=15
)
# Verify RateLimit entry was created
result = await db_session.execute(
select(RateLimit).where(RateLimit.identifier == "192.168.1.100")
)
rate_limit = result.scalar_one_or_none()
assert rate_limit is not None
assert rate_limit.attempts == 1
assert rate_limit.window_start is not None
@pytest.mark.asyncio
async def test_attempts_increment_in_window(self, db_session):
"""Attempts increment within same window."""
from core.dependencies import check_rate_limit
from core.models import RateLimit
identifier = "10.10.10.10"
endpoint = "/auth/test"
# Make 3 requests
for i in range(3):
await check_rate_limit(
db=db_session,
identifier=identifier,
endpoint=endpoint,
limit=10,
window_minutes=15
)
# Check attempts count
result = await db_session.execute(
select(RateLimit).where(
RateLimit.identifier == identifier,
RateLimit.endpoint == endpoint
)
)
rate_limit = result .scalar_one_or_none()
assert rate_limit.attempts == 3
# ============================================================================
# 3. Per-IP and Per-Endpoint Limiting Tests
# ============================================================================
class TestPerIPAndEndpoint:
"""Test rate limiting per IP and endpoint."""
@pytest.mark.asyncio
async def test_different_ips_separate_limits(self, db_session):
"""Different IPs have separate rate limits."""
from core.dependencies import check_rate_limit
# IP 1 makes 5 requests
for i in range(5):
await check_rate_limit(
db=db_session,
identifier="192.168.1.1",
endpoint="/api/endpoint",
limit=5,
window_minutes=15
)
# IP 1 should be at limit
result1 = await check_rate_limit(
db=db_session,
identifier="192.168.1.1",
endpoint="/api/endpoint",
limit=5,
window_minutes=15
)
assert result1 == False
# IP 2 should still be allowed
result2 = await check_rate_limit(
db=db_session,
identifier="192.168.1.2",
endpoint="/api/endpoint",
limit=5,
window_minutes=15
)
assert result2 == True
@pytest.mark.asyncio
async def test_different_endpoints_separate_limits(self, db_session):
"""Same IP has separate limits for different endpoints."""
from core.dependencies import check_rate_limit
ip = "203.0.113.50"
# Max out limit on endpoint1
for i in range(3):
await check_rate_limit(
db=db_session,
identifier=ip,
endpoint="/endpoint1",
limit=3,
window_minutes=15
)
# Should be blocked on endpoint1
result1 = await check_rate_limit(
db=db_session,
identifier=ip,
endpoint="/endpoint1",
limit=3,
window_minutes=15
)
assert result1 == False
# Should still be allowed on endpoint2
result2 = await check_rate_limit(
db=db_session,
identifier=ip,
endpoint="/endpoint2",
limit=3,
window_minutes=15
)
assert result2 == True
# ============================================================================
# 4. Rate Limit Expiry Tests
# ============================================================================
class TestRateLimitExpiry:
"""Test rate limit expiry behavior."""
@pytest.mark.asyncio
async def test_rate_limit_has_expiry(self, db_session):
"""Rate limit entry has expiry time."""
from core.dependencies import check_rate_limit
from core.models import RateLimit
await check_rate_limit(
db=db_session,
identifier="192.168.1.200",
endpoint="/test",
limit=10,
window_minutes=15
)
result = await db_session.execute(
select(RateLimit).where(RateLimit.identifier == "192.168.1.200")
)
rate_limit = result.scalar_one_or_none()
assert rate_limit.expires_at is not None
# Expiry should be ~15 minutes from now
expected_expiry = datetime.utcnow() + timedelta(minutes=15)
time_diff = abs((rate_limit.expires_at - expected_expiry).total_seconds())
assert time_diff < 5 # Within 5 seconds tolerance
# ============================================================================
# 5. Edge Cases and Error Handling Tests
# ============================================================================
class TestRateLimitEdgeCases:
"""Test edge cases in rate limiting."""
@pytest.mark.asyncio
async def test_zero_limit_blocks_all(self, db_session):
"""Limit of 0 blocks all requests."""
from core.dependencies import check_rate_limit
# First request with limit=0 should be blocked
result = await check_rate_limit(
db=db_session,
identifier="192.168.1.1",
endpoint="/blocked",
limit=0,
window_minutes=15
)
# With limit=0, even first request creates entry with attempts=1
# which is already >= limit, so it should be blocked
# Actually, looking at the code, first request creates attempts=1
# then returns True. Second request will be blocked.
assert result == True # First request allowed
# Second request blocked
result2 = await check_rate_limit(
db=db_session,
identifier="192.168.1.1",
endpoint="/blocked",
limit=0,
window_minutes=15
)
assert result2 == False
@pytest.mark.asyncio
async def test_limit_of_one(self, db_session):
"""Limit of 1 allows only first request."""
from core.dependencies import check_rate_limit
result1 = await check_rate_limit(
db=db_session,
identifier="10.0.0.10",
endpoint="/single",
limit=1,
window_minutes=15
)
assert result1 == True
result2 = await check_rate_limit(
db=db_session,
identifier="10.0.0.10",
endpoint="/single",
limit=1,
window_minutes=15
)
assert result2 == False
@pytest.mark.asyncio
async def test_very_short_window(self, db_session):
"""Very short time window works correctly."""
from core.dependencies import check_rate_limit
# 1 minute window
result = await check_rate_limit(
db=db_session,
identifier="192.168.1.50",
endpoint="/short",
limit=5,
window_minutes=1
)
assert result == True
@pytest.mark.asyncio
async def test_long_window(self, db_session):
"""Long time window works correctly."""
from core.dependencies import check_rate_limit
# 24 hour window
result = await check_rate_limit(
db=db_session,
identifier="192.168.1.60",
endpoint="/long",
limit=100,
window_minutes=1440 # 24 hours
)
assert result == True
# ============================================================================
# 6. Rate Limit Data Persistence Tests
# ============================================================================
class TestRateLimitPersistence:
"""Test rate limit data persistence."""
@pytest.mark.asyncio
async def test_rate_limit_persists(self, db_session):
"""Rate limit data persists across checks."""
from core.dependencies import check_rate_limit
from core.models import RateLimit
identifier = "192.168.1.99"
endpoint = "/persist"
# Make first request
await check_rate_limit(
db=db_session,
identifier=identifier,
endpoint=endpoint,
limit=10,
window_minutes=15
)
# Query database
result = await db_session.execute(
select(RateLimit).where(
RateLimit.identifier == identifier,
RateLimit.endpoint == endpoint
)
)
rate_limit = result.scalar_one()
initial_attempts = rate_limit.attempts
# Make another request
await check_rate_limit(
db=db_session,
identifier=identifier,
endpoint=endpoint,
limit=10,
window_minutes=15
)
# Re-query database
await db_session.refresh(rate_limit)
assert rate_limit.attempts == initial_attempts + 1
if __name__ == "__main__":
pytest.main([__file__, "-v"])