Add tests to highlight timing attack.

This commit is contained in:
Luca Palmieri 2021-08-30 17:57:35 +02:00
parent 00ab3e9252
commit 5492da0b38
2 changed files with 64 additions and 2 deletions

View file

@ -148,8 +148,8 @@ async fn configure_database(config: &DatabaseSettings) -> PgPool {
pub struct TestUser { pub struct TestUser {
user_id: Uuid, user_id: Uuid,
username: String, pub username: String,
password: String, pub password: String,
} }
impl TestUser { impl TestUser {

View file

@ -1,4 +1,5 @@
use crate::helpers::{spawn_app, ConfirmationLinks, TestApp}; use crate::helpers::{spawn_app, ConfirmationLinks, TestApp};
use uuid::Uuid;
use wiremock::matchers::{any, method, path}; use wiremock::matchers::{any, method, path};
use wiremock::{Mock, ResponseTemplate}; use wiremock::{Mock, ResponseTemplate};
@ -152,3 +153,64 @@ async fn requests_missing_authorization_are_rejected() {
response.headers()["WWW-Authenticate"] response.headers()["WWW-Authenticate"]
); );
} }
#[actix_rt::test]
async fn non_existing_user_is_rejected() {
// Arrange
let app = spawn_app().await;
// Random credentials
let username = Uuid::new_v4().to_string();
let password = Uuid::new_v4().to_string();
let response = reqwest::Client::new()
.post(&format!("{}/newsletters", &app.address))
.basic_auth(username, Some(password))
.json(&serde_json::json!({
"title": "Newsletter title",
"content": {
"text": "Newsletter body as plain text",
"html": "<p>Newsletter body as HTML</p>",
}
}))
.send()
.await
.expect("Failed to execute request.");
// Assert
assert_eq!(401, response.status().as_u16());
assert_eq!(
r#"Basic realm="publish""#,
response.headers()["WWW-Authenticate"]
);
}
#[actix_rt::test]
async fn invalid_password_is_rejected() {
// Arrange
let app = spawn_app().await;
let username = &app.test_user.username;
// Random password
let password = Uuid::new_v4().to_string();
assert_ne!(app.test_user.password, password);
let response = reqwest::Client::new()
.post(&format!("{}/newsletters", &app.address))
.basic_auth(username, Some(password))
.json(&serde_json::json!({
"title": "Newsletter title",
"content": {
"text": "Newsletter body as plain text",
"html": "<p>Newsletter body as HTML</p>",
}
}))
.send()
.await
.expect("Failed to execute request.");
// Assert
assert_eq!(401, response.status().as_u16());
assert_eq!(
r#"Basic realm="publish""#,
response.headers()["WWW-Authenticate"]
);
}