chore: sync testing plan with gateway

2026-04-09 12:34:55 +02:00
parent c64c298d06
commit 9065b82fe2
5 changed files with 262 additions and 11 deletions
@@ -216,6 +216,83 @@ func TestPublicAntiAbuseBrowserClassBucketsStayIsolatedFromPublicAuth(t *testing
 	}
 }

+func TestPublicAntiAbuseUsesRemoteAddrInsteadOfForwardedHeaders(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name           string
+		headerKey      string
+		firstHeader    string
+		secondHeader   string
+		firstRemote    string
+		secondRemote   string
+		wantSecondCode int
+	}{
+		{
+			name:           "same remote addr ignores x-forwarded-for changes",
+			headerKey:      "X-Forwarded-For",
+			firstHeader:    "198.51.100.10",
+			secondHeader:   "198.51.100.11",
+			firstRemote:    "192.0.2.10:1234",
+			secondRemote:   "192.0.2.10:1234",
+			wantSecondCode: http.StatusTooManyRequests,
+		},
+		{
+			name:           "different remote addr wins over shared forwarded header",
+			headerKey:      "Forwarded",
+			firstHeader:    "for=198.51.100.10",
+			secondHeader:   "for=198.51.100.10",
+			firstRemote:    "192.0.2.10:1234",
+			secondRemote:   "192.0.2.11:1234",
+			wantSecondCode: http.StatusOK,
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			cfg := config.DefaultPublicHTTPConfig()
+			cfg.AntiAbuse.PublicAuth.RateLimit = config.PublicRateLimitConfig{
+				Requests: 1,
+				Window:   time.Hour,
+				Burst:    1,
+			}
+			cfg.AntiAbuse.SendEmailCodeIdentity.RateLimit = config.PublicRateLimitConfig{
+				Requests: 100,
+				Window:   time.Hour,
+				Burst:    100,
+			}
+
+			authService := &recordingAuthServiceClient{
+				sendEmailCodeResult: SendEmailCodeResult{
+					ChallengeID: "challenge-123",
+				},
+			}
+			handler := newPublicHandlerWithConfig(cfg, ServerDependencies{AuthService: authService})
+
+			first := sendEmailCodeRequest(`{"email":"pilot-one@example.com"}`)
+			first.RemoteAddr = tt.firstRemote
+			first.Header.Set(tt.headerKey, tt.firstHeader)
+
+			second := sendEmailCodeRequest(`{"email":"pilot-two@example.com"}`)
+			second.RemoteAddr = tt.secondRemote
+			second.Header.Set(tt.headerKey, tt.secondHeader)
+
+			firstResp := httptest.NewRecorder()
+			handler.ServeHTTP(firstResp, first)
+
+			secondResp := httptest.NewRecorder()
+			handler.ServeHTTP(secondResp, second)
+
+			assert.Equal(t, http.StatusOK, firstResp.Code)
+			assert.Equal(t, tt.wantSecondCode, secondResp.Code)
+		})
+	}
+}
+
 func TestPublicAntiAbuseSendEmailIdentityThrottle(t *testing.T) {
 	t.Parallel()