Merge remote-tracking branch 'parent/main' into upstream-20240122

2024-01-22 10:07:33 +09:00 · 2024-01-22 10:07:33 +09:00 · a4cc73438e
commit a4cc73438e
parent 8793bc286e 9f8e3cca9a
65 changed files with 1150 additions and 707 deletions
--- a/spec/controllers/api/v1/accounts/follower_accounts_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/follower_accounts_controller_spec.rb
@ -1,61 +0,0 @@
-# frozen_string_literal: true
-
-require 'rails_helper'
-
-describe Api::V1::Accounts::FollowerAccountsController do
-  render_views
-
-  let(:user)    { Fabricate(:user) }
-  let(:token)   { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:accounts') }
-  let(:account) { Fabricate(:account) }
-  let(:alice)   { Fabricate(:account) }
-  let(:bob)     { Fabricate(:account) }
-
-  before do
-    alice.follow!(account)
-    bob.follow!(account)
-    allow(controller).to receive(:doorkeeper_token) { token }
-  end
-
-  describe 'GET #index' do
-    it 'returns accounts following the given account', :aggregate_failures do
-      get :index, params: { account_id: account.id, limit: 2 }
-
-      expect(response).to have_http_status(200)
-      expect(body_as_json.size).to eq 2
-      expect([body_as_json[0][:id], body_as_json[1][:id]]).to contain_exactly(alice.id.to_s, bob.id.to_s)
-    end
-
-    it 'does not return blocked users', :aggregate_failures do
-      user.account.block!(bob)
-      get :index, params: { account_id: account.id, limit: 2 }
-
-      expect(response).to have_http_status(200)
-      expect(body_as_json.size).to eq 1
-      expect(body_as_json[0][:id]).to eq alice.id.to_s
-    end
-
-    context 'when requesting user is blocked' do
-      before do
-        account.block!(user.account)
-      end
-
-      it 'hides results' do
-        get :index, params: { account_id: account.id, limit: 2 }
-        expect(body_as_json.size).to eq 0
-      end
-    end
-
-    context 'when requesting user is the account owner' do
-      let(:user) { account.user }
-
-      it 'returns all accounts, including muted accounts' do
-        account.mute!(bob)
-        get :index, params: { account_id: account.id, limit: 2 }
-
-        expect(body_as_json.size).to eq 2
-        expect([body_as_json[0][:id], body_as_json[1][:id]]).to contain_exactly(alice.id.to_s, bob.id.to_s)
-      end
-    end
-  end
-end
--- a/spec/controllers/api/v1/accounts/following_accounts_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts/following_accounts_controller_spec.rb
@ -1,61 +0,0 @@
-# frozen_string_literal: true
-
-require 'rails_helper'
-
-describe Api::V1::Accounts::FollowingAccountsController do
-  render_views
-
-  let(:user)    { Fabricate(:user) }
-  let(:token)   { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:accounts') }
-  let(:account) { Fabricate(:account) }
-  let(:alice)   { Fabricate(:account) }
-  let(:bob)     { Fabricate(:account) }
-
-  before do
-    account.follow!(alice)
-    account.follow!(bob)
-    allow(controller).to receive(:doorkeeper_token) { token }
-  end
-
-  describe 'GET #index' do
-    it 'returns accounts followed by the given account', :aggregate_failures do
-      get :index, params: { account_id: account.id, limit: 2 }
-
-      expect(response).to have_http_status(200)
-      expect(body_as_json.size).to eq 2
-      expect([body_as_json[0][:id], body_as_json[1][:id]]).to contain_exactly(alice.id.to_s, bob.id.to_s)
-    end
-
-    it 'does not return blocked users', :aggregate_failures do
-      user.account.block!(bob)
-      get :index, params: { account_id: account.id, limit: 2 }
-
-      expect(response).to have_http_status(200)
-      expect(body_as_json.size).to eq 1
-      expect(body_as_json[0][:id]).to eq alice.id.to_s
-    end
-
-    context 'when requesting user is blocked' do
-      before do
-        account.block!(user.account)
-      end
-
-      it 'hides results' do
-        get :index, params: { account_id: account.id, limit: 2 }
-        expect(body_as_json.size).to eq 0
-      end
-    end
-
-    context 'when requesting user is the account owner' do
-      let(:user) { account.user }
-
-      it 'returns all accounts, including muted accounts' do
-        account.mute!(bob)
-        get :index, params: { account_id: account.id, limit: 2 }
-
-        expect(body_as_json.size).to eq 2
-        expect([body_as_json[0][:id], body_as_json[1][:id]]).to contain_exactly(alice.id.to_s, bob.id.to_s)
-      end
-    end
-  end
-end
--- a/spec/controllers/auth/sessions_controller_spec.rb
+++ b/spec/controllers/auth/sessions_controller_spec.rb
@ -262,6 +262,26 @@ RSpec.describe Auth::SessionsController do
          end
        end

+        context 'when repeatedly using an invalid TOTP code before using a valid code' do
+          before do
+            stub_const('Auth::SessionsController::MAX_2FA_ATTEMPTS_PER_HOUR', 2)
+          end
+
+          it 'does not log the user in' do
+            # Travel to the beginning of an hour to avoid crossing rate-limit buckets
+            travel_to '2023-12-20T10:00:00Z'
+
+            Auth::SessionsController::MAX_2FA_ATTEMPTS_PER_HOUR.times do
+              post :create, params: { user: { otp_attempt: '1234' } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
+              expect(controller.current_user).to be_nil
+            end
+
+            post :create, params: { user: { otp_attempt: user.current_otp } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
+            expect(controller.current_user).to be_nil
+            expect(flash[:alert]).to match I18n.t('users.rate_limited')
+          end
+        end
+
        context 'when using a valid OTP' do
          before do
            post :create, params: { user: { otp_attempt: user.current_otp } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }