From 5492da0b384b3f44087a4ebc0ae04aee39ee57be Mon Sep 17 00:00:00 2001
From: Luca Palmieri <lpalmieri@truelayer.com>
Date: Mon, 30 Aug 2021 17:57:35 +0200
Subject: [PATCH] Add tests to highlight timing attack.

---
 tests/api/helpers.rs    |  4 +--
 tests/api/newsletter.rs | 62 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+), 2 deletions(-)

diff --git a/tests/api/helpers.rs b/tests/api/helpers.rs
index 2236b6d..8b0b09c 100644
--- a/tests/api/helpers.rs
+++ b/tests/api/helpers.rs
@@ -148,8 +148,8 @@ async fn configure_database(config: &DatabaseSettings) -> PgPool {
 
 pub struct TestUser {
     user_id: Uuid,
-    username: String,
-    password: String,
+    pub username: String,
+    pub password: String,
 }
 
 impl TestUser {
diff --git a/tests/api/newsletter.rs b/tests/api/newsletter.rs
index 0f03d29..0bf545c 100644
--- a/tests/api/newsletter.rs
+++ b/tests/api/newsletter.rs
@@ -1,4 +1,5 @@
 use crate::helpers::{spawn_app, ConfirmationLinks, TestApp};
+use uuid::Uuid;
 use wiremock::matchers::{any, method, path};
 use wiremock::{Mock, ResponseTemplate};
 
@@ -152,3 +153,64 @@ async fn requests_missing_authorization_are_rejected() {
         response.headers()["WWW-Authenticate"]
     );
 }
+
+#[actix_rt::test]
+async fn non_existing_user_is_rejected() {
+    // Arrange
+    let app = spawn_app().await;
+    // Random credentials
+    let username = Uuid::new_v4().to_string();
+    let password = Uuid::new_v4().to_string();
+
+    let response = reqwest::Client::new()
+        .post(&format!("{}/newsletters", &app.address))
+        .basic_auth(username, Some(password))
+        .json(&serde_json::json!({
+            "title": "Newsletter title",
+            "content": {
+                "text": "Newsletter body as plain text",
+                "html": "<p>Newsletter body as HTML</p>",
+            }
+        }))
+        .send()
+        .await
+        .expect("Failed to execute request.");
+
+    // Assert
+    assert_eq!(401, response.status().as_u16());
+    assert_eq!(
+        r#"Basic realm="publish""#,
+        response.headers()["WWW-Authenticate"]
+    );
+}
+
+#[actix_rt::test]
+async fn invalid_password_is_rejected() {
+    // Arrange
+    let app = spawn_app().await;
+    let username = &app.test_user.username;
+    // Random password
+    let password = Uuid::new_v4().to_string();
+    assert_ne!(app.test_user.password, password);
+
+    let response = reqwest::Client::new()
+        .post(&format!("{}/newsletters", &app.address))
+        .basic_auth(username, Some(password))
+        .json(&serde_json::json!({
+            "title": "Newsletter title",
+            "content": {
+                "text": "Newsletter body as plain text",
+                "html": "<p>Newsletter body as HTML</p>",
+            }
+        }))
+        .send()
+        .await
+        .expect("Failed to execute request.");
+
+    // Assert
+    assert_eq!(401, response.status().as_u16());
+    assert_eq!(
+        r#"Basic realm="publish""#,
+        response.headers()["WWW-Authenticate"]
+    );
+}