31 lines
947 B
TypeScript
31 lines
947 B
TypeScript
import { test, expect } from '@playwright/test';
|
|
|
|
const shouldRun = process.env.E2E_BRUTEFORCE === '1';
|
|
|
|
test.describe('Login brute-force throttle', () => {
|
|
test.skip(!shouldRun, 'Set E2E_BRUTEFORCE=1 to run brute-force throttle check against the live/staging site.');
|
|
|
|
test('repeated bad logins eventually trigger throttle', async ({ request }) => {
|
|
const attemptPayload = {
|
|
email: 'nonexistent-user@example.com',
|
|
password: 'WrongPass123!',
|
|
};
|
|
|
|
const statuses: number[] = [];
|
|
const bodies: string[] = [];
|
|
|
|
for (let i = 0; i < 8; i += 1) {
|
|
const response = await request.post('/login', {
|
|
form: attemptPayload,
|
|
failOnStatusCode: false,
|
|
});
|
|
statuses.push(response.status());
|
|
bodies.push(await response.text());
|
|
}
|
|
|
|
const hitThrottle = statuses.includes(429) || bodies.some((body) => /too many.+attempt/i.test(body));
|
|
|
|
expect(hitThrottle).toBeTruthy();
|
|
});
|
|
});
|