feat(auth): add signIn rate-limit backfill with dual ip/account budgets
Wires the rate-limit primitive end-to-end through auth.signIn as the
canonical credential-stuffing defence example:
- manifest: rateLimit [ip 5/1m, account 10/1h] on signIn use case
- use case: rateLimit: IRateLimit dep; dual consume + TooManyRequestsError
- binders: ctx.rateLimit ?? new NoopRateLimit() in bind-production + bind-dev-seed
- tRPC: TooManyRequestsError → TOO_MANY_REQUESTS error code in authProcedure
- tests: RecordingRateLimit dual-consume assertion; InMemoryRateLimit
budget-1 ip + account rejection; coverage 100% on use-cases layer
- ESLint: _manifest-ast.js extractRateLimitNames handles RateLimitBudget
objects ({name,window,budget}) in addition to plain string literals,
no-undeclared-rate-limit passes on both "ip" and "account" call sites
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -5,15 +5,19 @@ import { MockUsersRepository } from "@/infrastructure/repositories/users.reposit
|
||||
import { MockAuthenticationService } from "@/infrastructure/services/authentication.service.mock";
|
||||
import { InputParseError } from "@/entities/errors/common";
|
||||
import { userFactory } from "@/__factories__/user.factory";
|
||||
import { NoopRateLimit } from "@repo/core-shared/rate-limit";
|
||||
|
||||
describe("signInController", () => {
|
||||
it("returns a cookie on successful sign-in", async () => {
|
||||
const users = new MockUsersRepository([]);
|
||||
const auth = new MockAuthenticationService(users);
|
||||
const seedUser = userFactory.build({ username: "alice", passwordHash: "hashed_testpassword" });
|
||||
const seedUser = userFactory.build({
|
||||
username: "alice",
|
||||
passwordHash: "hashed_testpassword",
|
||||
});
|
||||
await users.createUser(seedUser);
|
||||
|
||||
const useCase = signInUseCase(users, auth);
|
||||
const useCase = signInUseCase(users, auth, new NoopRateLimit());
|
||||
const controller = signInController(useCase);
|
||||
|
||||
const result = await controller({
|
||||
@@ -27,18 +31,22 @@ describe("signInController", () => {
|
||||
it("throws InputParseError on invalid input", async () => {
|
||||
const users = new MockUsersRepository([]);
|
||||
const auth = new MockAuthenticationService(users);
|
||||
const useCase = signInUseCase(users, auth);
|
||||
const useCase = signInUseCase(users, auth, new NoopRateLimit());
|
||||
const controller = signInController(useCase);
|
||||
|
||||
await expect(controller({ username: "ab" } as unknown)).rejects.toBeInstanceOf(InputParseError);
|
||||
await expect(
|
||||
controller({ username: "ab" } as unknown),
|
||||
).rejects.toBeInstanceOf(InputParseError);
|
||||
});
|
||||
|
||||
it("throws InputParseError when input is not an object", async () => {
|
||||
const users = new MockUsersRepository([]);
|
||||
const auth = new MockAuthenticationService(users);
|
||||
const useCase = signInUseCase(users, auth);
|
||||
const useCase = signInUseCase(users, auth, new NoopRateLimit());
|
||||
const controller = signInController(useCase);
|
||||
|
||||
await expect(controller("garbage" as unknown)).rejects.toBeInstanceOf(InputParseError);
|
||||
await expect(controller("garbage" as unknown)).rejects.toBeInstanceOf(
|
||||
InputParseError,
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user