rezidir/GeoShare
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add registration security: bcrypt secret key, length validation, duplicate check, rate limiting

Browse Source
This commit is contained in:
dmit.b
2026-06-25 11:55:55 +03:00
parent efe68ef9a2
commit 6797f3d3c8
6 changed files with 172 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
test/server_test.dart
+86 -6
View File
@@ -1,6 +1,7 @@
import 'dart:convert';
import 'dart:io';
import 'package:dotenv/dotenv.dart';
import 'package:http/http.dart' as http;
import 'package:test/test.dart';
@@ -9,20 +10,25 @@ void main() {
final host = 'http://localhost:$port';
late Process p;
String? authToken;
late String registrationSecretKey;
Future<String?> getAuthToken() async {
if (authToken != null) return authToken;
final regResponse = await http.post(
await Future.delayed(Duration(seconds: 11));
await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'testuser', 'password': 'testpass'}),
body: jsonEncode({'login': 'testuser', 'password': 'testpassword', 'secret_key': registrationSecretKey}),
);
await Future.delayed(Duration(seconds: 11));
final loginResponse = await http.post(
Uri.parse('$host/login'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'testuser', 'password': 'testpass'}),
body: jsonEncode({'login': 'testuser', 'password': 'testpassword'}),
);
if (loginResponse.statusCode == 200) {
@@ -33,6 +39,10 @@ void main() {
}
setUpAll(() async {
final env = DotEnv();
env.load(['bin/.env']);
registrationSecretKey = 'FtracKer*1405.';
stdout.writeln("Starting server...");
p = await Process.start(
'dart',
@@ -75,11 +85,59 @@ void main() {
final response = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'newuser', 'password': 'newpass'}),
body: jsonEncode({'login': 'newuser', 'password': 'newpassword', 'secret_key': registrationSecretKey}),
);
expect(response.statusCode, 201);
final data = jsonDecode(response.body);
expect(data['login'], 'newuser');
expect(data['message'], 'User registered');
});
test('POST /reg - Invalid secret key', () async {
await Future.delayed(Duration(seconds: 11));
final response = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'baduser', 'password': 'badpassword', 'secret_key': 'wrong_key'}),
);
expect(response.statusCode, 403);
});
test('POST /reg - Login too short', () async {
await Future.delayed(Duration(seconds: 11));
final response = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'abc', 'password': 'longpassword', 'secret_key': registrationSecretKey}),
);
expect(response.statusCode, 400);
});
test('POST /reg - Password too short', () async {
await Future.delayed(Duration(seconds: 11));
final response = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'validuser', 'password': 'short', 'secret_key': registrationSecretKey}),
);
expect(response.statusCode, 400);
});
test('POST /reg - Duplicate user', () async {
await Future.delayed(Duration(seconds: 11));
final response1 = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'dupuser', 'password': 'longpassword', 'secret_key': registrationSecretKey}),
);
expect(response1.statusCode, 201);
await Future.delayed(Duration(seconds: 11));
final response2 = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'dupuser', 'password': 'longpassword', 'secret_key': registrationSecretKey}),
);
expect(response2.statusCode, 400);
});
});
@@ -90,6 +148,7 @@ void main() {
});
test('POST /login - Invalid credentials', () async {
await Future.delayed(Duration(seconds: 11));
final response = await http.post(
Uri.parse('$host/login'),
headers: {'Content-Type': 'application/json'},
@@ -99,9 +158,29 @@ void main() {
});
});
group('Rate limiting', () {
test('POST /reg - Too many requests', () async {
await Future.delayed(Duration(seconds: 11));
final response1 = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'ratetest1', 'password': 'longpassword', 'secret_key': registrationSecretKey}),
);
expect(response1.statusCode, 201);
final response2 = await http.post(
Uri.parse('$host/reg'),
headers: {'Content-Type': 'application/json'},
body: jsonEncode({'login': 'ratetest2', 'password': 'longpassword', 'secret_key': registrationSecretKey}),
);
expect(response2.statusCode, 429);
});
});
group('Geo operations', () {
test('POST /share - Create share link', () async {
await getAuthToken();
await Future.delayed(Duration(seconds: 11));
final response = await http.post(
Uri.parse('$host/share'),
headers: {
@@ -116,6 +195,7 @@ void main() {
});
test('POST /share - No auth token', () async {
await Future.delayed(Duration(seconds: 11));
final response = await http.post(
Uri.parse('$host/share'),
headers: {'Content-Type': 'application/json'},
@@ -133,4 +213,4 @@ void main() {
expect(response.statusCode, 404);
});
});
}
}