Skip to content

test(middleware): add integration tests for rate-limiter spoofing prevention#6686

Merged
JhaSourav07 merged 2 commits into
JhaSourav07:mainfrom
dinesh9997:feat/add-rate-limiter-spoof-tests
Jun 28, 2026
Merged

test(middleware): add integration tests for rate-limiter spoofing prevention#6686
JhaSourav07 merged 2 commits into
JhaSourav07:mainfrom
dinesh9997:feat/add-rate-limiter-spoof-tests

Conversation

@dinesh9997

Copy link
Copy Markdown
Contributor

Description

Resolves #6039

This PR adds a comprehensive integration test suite to verify the rate-limiting middleware's request spoofing prevention checks. Rather than testing with fully mocked responses, these tests run under realistic HTTP request flows using the actual rate-limiting cache layer to ensure rate limits cannot be bypassed by manipulating the X-Forwarded-For or X-Real-IP headers.

Summary of Changes

  • Conditional Mock Bypass in middleware.test.ts:
    • Updated the top-level vi.mock for @/lib/rate-limit to support a useRealRateLimit flag.
    • When useRealRateLimit = true, the mocks dynamically delegate to the actual rateLimit and getRateLimitHeaders implementations.
    • Standardized mock resets to prevent mock bleeding between unit and integration test blocks.
  • Added Integration Scenarios:
    • Scenario 1 (Default - No trusted proxies): Verifies that client-supplied X-Forwarded-For headers are ignored when no trust is established, and the rate limit applies strictly to the default connection IP. Rotating spoofed headers does not bypass the rate limit.
    • Scenario 2 (Wildcard trust - TRUSTED_PROXIES=* / VERCEL=1): Verifies that the leftmost IP in X-Forwarded-For is resolved as the client IP, and rate-limiting is enforced on it accordingly.
    • Scenario 3 (Custom trusted proxies): Verifies that headers are rejected and resolved to the default IP when no direct peer socket IP is established.
  • State Isolation:
    • Integrated vi.useFakeTimers with a progressive test time advancement (120,000ms forward before each test) to ensure the local rate-limiter cache expires naturally between test runs.

Testing & Verification

All unit and new integration tests pass successfully:

npx vitest run middleware.test.ts
npx eslint middleware.test.ts
npx prettier --check middleware.test.ts

Copilot AI review requested due to automatic review settings June 26, 2026 15:57
@vercel

vercel Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

@dinesh9997 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@github-actions github-actions Bot added the status:blocked This PR is blocked due to a failing CI check. label Jun 26, 2026
@github-actions github-actions Bot removed the status:blocked This PR is blocked due to a failing CI check. label Jun 26, 2026
@github-actions

Copy link
Copy Markdown
Contributor

📦 Next.js Bundle Size Report (Gzipped Sizes)

✨ No significant bundle size changes detected.

📊 Summary of Totals

Category PR Size Base Size Difference
Total JS 3914.83 KB 3914.83 KB 0 B
Total CSS 319.21 KB 319.21 KB 0 B

@Aamod007 Aamod007 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello! Thanks for this detailed testing PR. I love the rigor here—testing these rate-limiter spoofing scenarios is crucial for our API security.

I'm assigning level:intermediate because this involves some advanced Vitest mocking (like �i.hoisted) and complex proxy scenarios. I'm also adding quality:exceptional because these tests are extremely well-documented and cover all the edge cases perfectly! Since this directly impacts our test coverage and security guarantees, I'm adding ype:testing and ype:security as well.

Awesome work locking this down!

@Aamod007 Aamod007 added level:intermediate Moderate complexity tasks quality:exceptional Outstanding contribution with exceptional implementation quality, testing. type:testing Adding, updating, or fixing tests type:security Security fixes, dependency updates, or hardening mentor:Aamod007 labels Jun 27, 2026
@JhaSourav07 JhaSourav07 added the gssoc:approved PR has been reviewed and accepted for valid contribution points label Jun 28, 2026
@JhaSourav07
JhaSourav07 merged commit c5b4799 into JhaSourav07:main Jun 28, 2026
10 of 11 checks passed
@github-actions

Copy link
Copy Markdown
Contributor

🎉 Congratulations @dinesh9997! Your PR has been successfully merged. 🚀

Thank you for contributing to CommitPulse. Your work helps us build a better tool for the community.

⚠️ Important for GSSoC Contributors:
You are strictly advised to join our Discord Server as it is mandatory for all GSSoC participants. All important announcements, point claims, and community discussions happen there.

Keep building! 💻✨

@github-actions github-actions Bot added this to the GSSoC 2026 milestone Jun 28, 2026
MasterJi27 pushed a commit to MasterJi27/commitpulse that referenced this pull request Jul 4, 2026
…ing prevention (JhaSourav07#6686)

## Description
Resolves JhaSourav07#6039 

This PR adds a comprehensive integration test suite to verify the
rate-limiting middleware's request spoofing prevention checks. Rather
than testing with fully mocked responses, these tests run under
realistic HTTP request flows using the actual rate-limiting cache layer
to ensure rate limits cannot be bypassed by manipulating the
`X-Forwarded-For` or `X-Real-IP` headers.

## Summary of Changes
- **Conditional Mock Bypass in
[middleware.test.ts](file:///c:/Users/gsspa/OneDrive/Desktop/Gssoc%20project/CommitPulse/middleware.test.ts):**
- Updated the top-level `vi.mock` for `@/lib/rate-limit` to support a
`useRealRateLimit` flag.
- When `useRealRateLimit = true`, the mocks dynamically delegate to the
actual `rateLimit` and `getRateLimitHeaders` implementations.
- Standardized mock resets to prevent mock bleeding between unit and
integration test blocks.
- **Added Integration Scenarios:**
- **Scenario 1 (Default - No trusted proxies):** Verifies that
client-supplied `X-Forwarded-For` headers are ignored when no trust is
established, and the rate limit applies strictly to the default
connection IP. Rotating spoofed headers does not bypass the rate limit.
- **Scenario 2 (Wildcard trust - `TRUSTED_PROXIES=*` / `VERCEL=1`):**
Verifies that the leftmost IP in `X-Forwarded-For` is resolved as the
client IP, and rate-limiting is enforced on it accordingly.
- **Scenario 3 (Custom trusted proxies):** Verifies that headers are
rejected and resolved to the default IP when no direct peer socket IP is
established.
- **State Isolation:**
- Integrated `vi.useFakeTimers` with a progressive test time advancement
(`120,000ms` forward before each test) to ensure the local rate-limiter
cache expires naturally between test runs.

## Testing & Verification
All unit and new integration tests pass successfully:
```bash
npx vitest run middleware.test.ts
npx eslint middleware.test.ts
npx prettier --check middleware.test.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gssoc:approved PR has been reviewed and accepted for valid contribution points level:intermediate Moderate complexity tasks mentor:Aamod007 quality:exceptional Outstanding contribution with exceptional implementation quality, testing. type:security Security fixes, dependency updates, or hardening type:testing Adding, updating, or fixing tests

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug : add integration tests to verify rate-limiter spoofing prevention

4 participants