package connectsrv_test import ( "context" "net/http" "net/http/httptest" "testing" "time" "connectrpc.com/connect" "scrabble/gateway/internal/backendclient" "scrabble/gateway/internal/config" "scrabble/gateway/internal/connectsrv" "scrabble/gateway/internal/push" "scrabble/gateway/internal/ratelimit" "scrabble/gateway/internal/session" "scrabble/gateway/internal/transcode" edgev1 "scrabble/gateway/proto/edge/v1" "scrabble/gateway/proto/edge/v1/edgev1connect" ) const honeypotHeader = "X-Scrabble-Honeypot" // guardedEdge wires an edge with an explicit banlist and honeytoken over a fake // backend, returning the front URL, a Connect client and a cleanup func. func guardedEdge(t *testing.T, bl *ratelimit.Banlist, honeytoken string, limits config.RateLimitConfig, backendHandler http.HandlerFunc) (string, edgev1connect.GatewayClient, func()) { t.Helper() backendSrv := httptest.NewServer(backendHandler) backend, err := backendclient.New(backendSrv.URL, "localhost:9090", 2*time.Second) if err != nil { t.Fatalf("backendclient: %v", err) } edge := connectsrv.NewServer(connectsrv.Deps{ Registry: transcode.NewRegistry(backend, nil), Sessions: session.NewCache(backend, time.Minute, 100), Limiter: ratelimit.New(), Banlist: bl, Honeytoken: honeytoken, Hub: push.NewHub(0), RateLimit: limits, Heartbeat: 15 * time.Second, }) edgeSrv := httptest.NewServer(edge.HTTPHandler()) client := edgev1connect.NewGatewayClient(http.DefaultClient, edgeSrv.URL) return edgeSrv.URL, client, func() { edgeSrv.Close() _ = backend.Close() backendSrv.Close() } } // noRedirect is an HTTP client that surfaces a redirect instead of following it, // so the test can tell a 308 (passed the guard) from a 429 (blocked). func noRedirect() *http.Client { return &http.Client{CheckRedirect: func(*http.Request, []*http.Request) error { return http.ErrUseLastResponse }} } func enabledBanlist(threshold int) *ratelimit.Banlist { return ratelimit.NewBanlist(ratelimit.BanConfig{ Enabled: true, Threshold: threshold, Window: time.Minute, Duration: time.Hour, }) } // TestAbuseGuardBlocksBannedIP verifies a banned client IP is refused with 429 at // the HTTP layer, before any handler runs. func TestAbuseGuardBlocksBannedIP(t *testing.T) { bl := enabledBanlist(100) bl.BanNow("127.0.0.1", ratelimit.ReasonTripwire) url, _, cleanup := guardedEdge(t, bl, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {}) defer cleanup() resp, err := noRedirect().Get(url + "/") if err != nil { t.Fatalf("get: %v", err) } _ = resp.Body.Close() if resp.StatusCode != http.StatusTooManyRequests { t.Fatalf("banned GET / = %d, want 429", resp.StatusCode) } } // TestHoneypotHeaderTrips verifies a request carrying the honeypot header is 404'd // and bans the client IP, so the next request is blocked. func TestHoneypotHeaderTrips(t *testing.T) { bl := enabledBanlist(100) url, _, cleanup := guardedEdge(t, bl, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) { t.Error("backend must not be called for a honeypot hit") }) defer cleanup() req, _ := http.NewRequest(http.MethodGet, url+"/.env", nil) req.Header.Set(honeypotHeader, "1") resp, err := noRedirect().Do(req) if err != nil { t.Fatalf("honeypot get: %v", err) } _ = resp.Body.Close() if resp.StatusCode != http.StatusNotFound { t.Fatalf("honeypot hit = %d, want 404", resp.StatusCode) } if !bl.Banned("127.0.0.1") { t.Fatal("a honeypot hit must ban the client IP") } follow, err := noRedirect().Get(url + "/") if err != nil { t.Fatalf("follow-up get: %v", err) } _ = follow.Body.Close() if follow.StatusCode != http.StatusTooManyRequests { t.Fatalf("post-trip GET / = %d, want 429", follow.StatusCode) } } // TestHoneypotDetectsWithoutBanWhenDisabled verifies the prod-only gate: a disabled // banlist still 404s the decoy (detection/logging) but bans nothing. func TestHoneypotDetectsWithoutBanWhenDisabled(t *testing.T) { bl := ratelimit.NewBanlist(ratelimit.BanConfig{}) // disabled url, _, cleanup := guardedEdge(t, bl, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {}) defer cleanup() req, _ := http.NewRequest(http.MethodGet, url+"/.env", nil) req.Header.Set(honeypotHeader, "1") resp, err := noRedirect().Do(req) if err != nil { t.Fatalf("honeypot get: %v", err) } _ = resp.Body.Close() if resp.StatusCode != http.StatusNotFound { t.Fatalf("decoy = %d, want 404", resp.StatusCode) } if bl.Banned("127.0.0.1") { t.Fatal("a disabled banlist must not ban") } follow, err := noRedirect().Get(url + "/") if err != nil { t.Fatalf("follow-up: %v", err) } _ = follow.Body.Close() if follow.StatusCode != http.StatusPermanentRedirect { t.Fatalf("post-trip GET / = %d, want 308 (not banned)", follow.StatusCode) } } // TestPublicRejectionStrikesBan verifies a public-class limiter rejection feeds the // banlist: with a one-strike threshold the rejected IP is then banned. func TestPublicRejectionStrikesBan(t *testing.T) { bl := enabledBanlist(1) limits := config.DefaultRateLimit() limits.PublicPerMinute, limits.PublicBurst = 1, 1 _, client, cleanup := guardedEdge(t, bl, "", limits, func(w http.ResponseWriter, r *http.Request) { _, _ = w.Write([]byte(`{"token":"tok","user_id":"u-1","is_guest":true,"display_name":"Guest"}`)) }) defer cleanup() if _, err := client.Execute(context.Background(), connect.NewRequest(&edgev1.ExecuteRequest{MessageType: transcode.MsgAuthGuest})); err != nil { t.Fatalf("first execute: %v", err) } _, err := client.Execute(context.Background(), connect.NewRequest(&edgev1.ExecuteRequest{MessageType: transcode.MsgAuthGuest})) if connect.CodeOf(err) != connect.CodeResourceExhausted { t.Fatalf("second execute code = %v, want ResourceExhausted", connect.CodeOf(err)) } if !bl.Banned("127.0.0.1") { t.Fatal("a public rejection must strike the banlist") } } // TestUserRejectionDoesNotBan verifies the user limiter class (keyed by account id, // not IP) does not feed the IP banlist — that path is the backend's soft flag. func TestUserRejectionDoesNotBan(t *testing.T) { bl := enabledBanlist(1) limits := config.DefaultRateLimit() limits.UserPerMinute, limits.UserBurst = 1, 1 _, client, cleanup := guardedEdge(t, bl, "", limits, func(w http.ResponseWriter, r *http.Request) { switch r.URL.Path { case "/api/v1/internal/sessions/resolve": _, _ = w.Write([]byte(`{"user_id":"u-1","is_guest":false}`)) case "/api/v1/user/feedback/unread": _, _ = w.Write([]byte(`{"reply_unread":false}`)) default: t.Errorf("unexpected backend path %s", r.URL.Path) } }) defer cleanup() for i := range 2 { req := connect.NewRequest(&edgev1.ExecuteRequest{MessageType: transcode.MsgFeedbackUnread}) req.Header().Set("Authorization", "Bearer tok") _, err := client.Execute(context.Background(), req) if i == 1 && connect.CodeOf(err) != connect.CodeResourceExhausted { t.Fatalf("second execute code = %v, want ResourceExhausted", connect.CodeOf(err)) } } if len(bl.Active()) != 0 { t.Fatalf("user-class rejection must not ban; active = %v", bl.Active()) } } // TestHoneytokenBansAndRejects verifies presenting the planted honeytoken bans the // caller and returns the ordinary invalid-session error without a backend call. func TestHoneytokenBansAndRejects(t *testing.T) { bl := enabledBanlist(100) _, client, cleanup := guardedEdge(t, bl, "s3cr3t-trap", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) { t.Error("backend must not be called for the honeytoken") }) defer cleanup() req := connect.NewRequest(&edgev1.ExecuteRequest{MessageType: transcode.MsgProfileGet}) req.Header().Set("Authorization", "Bearer s3cr3t-trap") _, err := client.Execute(context.Background(), req) if connect.CodeOf(err) != connect.CodeUnauthenticated { t.Fatalf("honeytoken code = %v, want Unauthenticated", connect.CodeOf(err)) } if !bl.Banned("127.0.0.1") { t.Fatal("the honeytoken must ban the caller") } }