Add tests to highlight timing attack.

2024-12-18 14:06:37 +00:00 · 2021-08-30 17:57:35 +02:00 · 2021-08-30 17:57:35 +02:00 · 5492da0b38
commit 5492da0b38
parent 00ab3e9252
2 changed files with 64 additions and 2 deletions
--- a/tests/api/helpers.rs
+++ b/tests/api/helpers.rs
@ -148,8 +148,8 @@ async fn configure_database(config: &DatabaseSettings) -> PgPool {

 pub struct TestUser {
    user_id: Uuid,
-    username: String,
-    password: String,
+    pub username: String,
+    pub password: String,
 }

 impl TestUser {
--- a/tests/api/newsletter.rs
+++ b/tests/api/newsletter.rs
@ -1,4 +1,5 @@
 use crate::helpers::{spawn_app, ConfirmationLinks, TestApp};
+use uuid::Uuid;
 use wiremock::matchers::{any, method, path};
 use wiremock::{Mock, ResponseTemplate};

@ -152,3 +153,64 @@ async fn requests_missing_authorization_are_rejected() {
        response.headers()["WWW-Authenticate"]
    );
 }
+
+#[actix_rt::test]
+async fn non_existing_user_is_rejected() {
+    // Arrange
+    let app = spawn_app().await;
+    // Random credentials
+    let username = Uuid::new_v4().to_string();
+    let password = Uuid::new_v4().to_string();
+
+    let response = reqwest::Client::new()
+        .post(&format!("{}/newsletters", &app.address))
+        .basic_auth(username, Some(password))
+        .json(&serde_json::json!({
+            "title": "Newsletter title",
+            "content": {
+                "text": "Newsletter body as plain text",
+                "html": "<p>Newsletter body as HTML</p>",
+            }
+        }))
+        .send()
+        .await
+        .expect("Failed to execute request.");
+
+    // Assert
+    assert_eq!(401, response.status().as_u16());
+    assert_eq!(
+        r#"Basic realm="publish""#,
+        response.headers()["WWW-Authenticate"]
+    );
+}
+
+#[actix_rt::test]
+async fn invalid_password_is_rejected() {
+    // Arrange
+    let app = spawn_app().await;
+    let username = &app.test_user.username;
+    // Random password
+    let password = Uuid::new_v4().to_string();
+    assert_ne!(app.test_user.password, password);
+
+    let response = reqwest::Client::new()
+        .post(&format!("{}/newsletters", &app.address))
+        .basic_auth(username, Some(password))
+        .json(&serde_json::json!({
+            "title": "Newsletter title",
+            "content": {
+                "text": "Newsletter body as plain text",
+                "html": "<p>Newsletter body as HTML</p>",
+            }
+        }))
+        .send()
+        .await
+        .expect("Failed to execute request.");
+
+    // Assert
+    assert_eq!(401, response.status().as_u16());
+    assert_eq!(
+        r#"Basic realm="publish""#,
+        response.headers()["WWW-Authenticate"]
+    );
+}