src/backend/core/tests/test_throttle.py

"""
Test Throttle in People's app.
"""
import pytest
from rest_framework.test import APIClient

from core import factories

from people.settings import REST_FRAMEWORK  # pylint: disable=E0611

pytestmark = pytest.mark.django_db


def test_throttle():
    """
    Throttle protection should block requests if too many.
    """
    identity = factories.IdentityFactory()
    user = identity.user

    client = APIClient()
    client.force_login(user)
    endpoint = "/api/v1.0/users/"

    # loop to activate throttle protection
    throttle_limit = int(
        REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["burst"].replace("/minute", "")
    )
    for _ in range(0, throttle_limit):
        client.get(endpoint)

    # this call should err
    response = client.get(endpoint)
    assert response.status_code == 429  # too many requests
✨(api) search users by email (#16) * ✨(api) search users by email The front end should be able to search users by email. To that goal, we added a list method to the users viewset thus creating the /users/ endpoint. Results are filtered based on similarity with the query, based on what preexisted for the /contacts/ endpoint. * ✅(api) test list users by email Test search when complete, partial query, accentuated and capital. Also, lower similarity threshold for user search by email as it was too high for some tests to pass. * 💡(api) improve documentation and test comments Improve user viewset documentation and comments describing tests sections Co-authored-by: aleb_the_flash <45729124+lebaudantoine@users.noreply.github.com> Co-authored-by: Anthony LC <anthony.le-courric@mail.numerique.gouv.fr> * 🛂(api) set isAuthenticated as base requirements Instead of checking permissions or adding decorators to every viewset, isAuthenticated is set as base requirement. * 🛂(api) define throttle limits in settings Use of Djando Rest Framework's throttle options, now set globally to avoid duplicate code. * 🩹(api) add email to user serializer email field added to serializer. Tests modified accordingly. I added the email field as "read only" to pass tests, but we need to discuss that point in review. * 🧱(api) move search logic to queryset User viewset "list" method was overridden to allow search by email. This removed the pagination. Instead of manually re-adding pagination at the end of this method, I moved the search/filter logic to get_queryset, to leave DRF handle pagination. * ✅(api) test throttle protection Test that throttle protection succesfully blocks too many requests. * 📝(tests) improve tests comment Fix typos on comments and clarify which setting are tested on test_throttle test (setting import required disabling pylint false positive error) Co-authored-by: aleb_the_flash <45729124+lebaudantoine@users.noreply.github.com> --------- Co-authored-by: aleb_the_flash <45729124+lebaudantoine@users.noreply.github.com> Co-authored-by: Anthony LC <anthony.le-courric@mail.numerique.gouv.fr> 2024-01-29 10:14:17 +01:00			`"""`
			`Test Throttle in People's app.`
			`"""`
			`import pytest`
			`from rest_framework.test import APIClient`

			`from core import factories`

			`from people.settings import REST_FRAMEWORK # pylint: disable=E0611`

			`pytestmark = pytest.mark.django_db`


			`def test_throttle():`
			`"""`
			`Throttle protection should block requests if too many.`
			`"""`
			`identity = factories.IdentityFactory()`
			`user = identity.user`

			`client = APIClient()`
✅(backend) drop JWT authentication in API tests Force login to bypass authorization checks when necessary. Note: Generating a session cookie through OIDC flow is not supported while testing our API. 2024-02-14 23:14:30 +01:00			`client.force_login(user)`
✨(api) search users by email (#16) * ✨(api) search users by email The front end should be able to search users by email. To that goal, we added a list method to the users viewset thus creating the /users/ endpoint. Results are filtered based on similarity with the query, based on what preexisted for the /contacts/ endpoint. * ✅(api) test list users by email Test search when complete, partial query, accentuated and capital. Also, lower similarity threshold for user search by email as it was too high for some tests to pass. * 💡(api) improve documentation and test comments Improve user viewset documentation and comments describing tests sections Co-authored-by: aleb_the_flash <45729124+lebaudantoine@users.noreply.github.com> Co-authored-by: Anthony LC <anthony.le-courric@mail.numerique.gouv.fr> * 🛂(api) set isAuthenticated as base requirements Instead of checking permissions or adding decorators to every viewset, isAuthenticated is set as base requirement. * 🛂(api) define throttle limits in settings Use of Djando Rest Framework's throttle options, now set globally to avoid duplicate code. * 🩹(api) add email to user serializer email field added to serializer. Tests modified accordingly. I added the email field as "read only" to pass tests, but we need to discuss that point in review. * 🧱(api) move search logic to queryset User viewset "list" method was overridden to allow search by email. This removed the pagination. Instead of manually re-adding pagination at the end of this method, I moved the search/filter logic to get_queryset, to leave DRF handle pagination. * ✅(api) test throttle protection Test that throttle protection succesfully blocks too many requests. * 📝(tests) improve tests comment Fix typos on comments and clarify which setting are tested on test_throttle test (setting import required disabling pylint false positive error) Co-authored-by: aleb_the_flash <45729124+lebaudantoine@users.noreply.github.com> --------- Co-authored-by: aleb_the_flash <45729124+lebaudantoine@users.noreply.github.com> Co-authored-by: Anthony LC <anthony.le-courric@mail.numerique.gouv.fr> 2024-01-29 10:14:17 +01:00			`endpoint = "/api/v1.0/users/"`

			`# loop to activate throttle protection`
			`throttle_limit = int(`
			`REST_FRAMEWORK["DEFAULT_THROTTLE_RATES"]["burst"].replace("/minute", "")`
			`)`
			`for _ in range(0, throttle_limit):`
✅(backend) drop JWT authentication in API tests Force login to bypass authorization checks when necessary. Note: Generating a session cookie through OIDC flow is not supported while testing our API. 2024-02-14 23:14:30 +01:00			`client.get(endpoint)`
✨(api) search users by email (#16) * ✨(api) search users by email The front end should be able to search users by email. To that goal, we added a list method to the users viewset thus creating the /users/ endpoint. Results are filtered based on similarity with the query, based on what preexisted for the /contacts/ endpoint. * ✅(api) test list users by email Test search when complete, partial query, accentuated and capital. Also, lower similarity threshold for user search by email as it was too high for some tests to pass. * 💡(api) improve documentation and test comments Improve user viewset documentation and comments describing tests sections Co-authored-by: aleb_the_flash <45729124+lebaudantoine@users.noreply.github.com> Co-authored-by: Anthony LC <anthony.le-courric@mail.numerique.gouv.fr> * 🛂(api) set isAuthenticated as base requirements Instead of checking permissions or adding decorators to every viewset, isAuthenticated is set as base requirement. * 🛂(api) define throttle limits in settings Use of Djando Rest Framework's throttle options, now set globally to avoid duplicate code. * 🩹(api) add email to user serializer email field added to serializer. Tests modified accordingly. I added the email field as "read only" to pass tests, but we need to discuss that point in review. * 🧱(api) move search logic to queryset User viewset "list" method was overridden to allow search by email. This removed the pagination. Instead of manually re-adding pagination at the end of this method, I moved the search/filter logic to get_queryset, to leave DRF handle pagination. * ✅(api) test throttle protection Test that throttle protection succesfully blocks too many requests. * 📝(tests) improve tests comment Fix typos on comments and clarify which setting are tested on test_throttle test (setting import required disabling pylint false positive error) Co-authored-by: aleb_the_flash <45729124+lebaudantoine@users.noreply.github.com> --------- Co-authored-by: aleb_the_flash <45729124+lebaudantoine@users.noreply.github.com> Co-authored-by: Anthony LC <anthony.le-courric@mail.numerique.gouv.fr> 2024-01-29 10:14:17 +01:00
			`# this call should err`
✅(backend) drop JWT authentication in API tests Force login to bypass authorization checks when necessary. Note: Generating a session cookie through OIDC flow is not supported while testing our API. 2024-02-14 23:14:30 +01:00			`response = client.get(endpoint)`
✨(api) search users by email (#16) * ✨(api) search users by email The front end should be able to search users by email. To that goal, we added a list method to the users viewset thus creating the /users/ endpoint. Results are filtered based on similarity with the query, based on what preexisted for the /contacts/ endpoint. * ✅(api) test list users by email Test search when complete, partial query, accentuated and capital. Also, lower similarity threshold for user search by email as it was too high for some tests to pass. * 💡(api) improve documentation and test comments Improve user viewset documentation and comments describing tests sections Co-authored-by: aleb_the_flash <45729124+lebaudantoine@users.noreply.github.com> Co-authored-by: Anthony LC <anthony.le-courric@mail.numerique.gouv.fr> * 🛂(api) set isAuthenticated as base requirements Instead of checking permissions or adding decorators to every viewset, isAuthenticated is set as base requirement. * 🛂(api) define throttle limits in settings Use of Djando Rest Framework's throttle options, now set globally to avoid duplicate code. * 🩹(api) add email to user serializer email field added to serializer. Tests modified accordingly. I added the email field as "read only" to pass tests, but we need to discuss that point in review. * 🧱(api) move search logic to queryset User viewset "list" method was overridden to allow search by email. This removed the pagination. Instead of manually re-adding pagination at the end of this method, I moved the search/filter logic to get_queryset, to leave DRF handle pagination. * ✅(api) test throttle protection Test that throttle protection succesfully blocks too many requests. * 📝(tests) improve tests comment Fix typos on comments and clarify which setting are tested on test_throttle test (setting import required disabling pylint false positive error) Co-authored-by: aleb_the_flash <45729124+lebaudantoine@users.noreply.github.com> --------- Co-authored-by: aleb_the_flash <45729124+lebaudantoine@users.noreply.github.com> Co-authored-by: Anthony LC <anthony.le-courric@mail.numerique.gouv.fr> 2024-01-29 10:14:17 +01:00			`assert response.status_code == 429 # too many requests`