d4acb46cf5
Add slowapi-based rate limiting: 5/min on password login, 10/min on WebAuthn login. Includes shared rate limiter reset fixture for tests. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
25 lines
697 B
Python
25 lines
697 B
Python
import pytest
|
|
from httpx import AsyncClient
|
|
|
|
from tests.conftest import get_csrf_token
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_password_login_rate_limited(client: AsyncClient) -> None:
|
|
"""After 5 failed attempts, the 6th should be rate-limited."""
|
|
token = await get_csrf_token(client)
|
|
|
|
for _ in range(5):
|
|
await client.post(
|
|
"/login/password",
|
|
data={"username": "nobody", "password": "wrong"},
|
|
headers={"X-CSRF-Token": token},
|
|
)
|
|
|
|
response = await client.post(
|
|
"/login/password",
|
|
data={"username": "nobody", "password": "wrong"},
|
|
headers={"X-CSRF-Token": token},
|
|
)
|
|
|
|
assert response.status_code == 429
|