mirror of
https://github.com/GSA/notifications-api.git
synced 2026-07-09 10:53:55 -04:00
Merge pull request #3189 from alphagov/reduce-concurrent-verify-codes
Reduce max concurrent 2 factor codes
This commit is contained in:
@@ -147,7 +147,8 @@ class Config(object):
|
||||
API_PAGE_SIZE = 250
|
||||
TEST_MESSAGE_FILENAME = 'Test message'
|
||||
ONE_OFF_MESSAGE_FILENAME = 'Report'
|
||||
MAX_VERIFY_CODE_COUNT = 10
|
||||
MAX_VERIFY_CODE_COUNT = 5
|
||||
MAX_FAILED_LOGIN_COUNT = 10
|
||||
|
||||
# be careful increasing this size without being sure that we won't see slowness in pysftp
|
||||
MAX_LETTER_PDF_ZIP_FILESIZE = 40 * 1024 * 1024 # 40mb
|
||||
|
||||
@@ -205,7 +205,7 @@ def verify_user_code(user_id):
|
||||
user_to_verify = get_user_by_id(user_id=user_id)
|
||||
|
||||
code = get_user_code(user_to_verify, data['code'], data['code_type'])
|
||||
if user_to_verify.failed_login_count >= current_app.config.get('MAX_VERIFY_CODE_COUNT'):
|
||||
if user_to_verify.failed_login_count >= current_app.config.get('MAX_FAILED_LOGIN_COUNT'):
|
||||
raise InvalidRequest("Code not found", status_code=404)
|
||||
if not code:
|
||||
# only relevant from sms
|
||||
|
||||
@@ -71,6 +71,31 @@ def test_user_verify_code_bad_code_and_increments_failed_login_count(client,
|
||||
assert User.query.get(sample_sms_code.user.id).failed_login_count == 1
|
||||
|
||||
|
||||
@pytest.mark.parametrize('failed_login_count, expected_status', (
|
||||
(9, 204),
|
||||
(10, 404),
|
||||
))
|
||||
def test_user_verify_code_rejects_good_code_if_too_many_failed_logins(
|
||||
client,
|
||||
sample_sms_code,
|
||||
failed_login_count,
|
||||
expected_status,
|
||||
):
|
||||
sample_sms_code.user.failed_login_count = failed_login_count
|
||||
resp = client.post(
|
||||
url_for('user.verify_user_code', user_id=sample_sms_code.user.id),
|
||||
data=json.dumps({
|
||||
'code_type': sample_sms_code.code_type,
|
||||
'code': sample_sms_code.txt_code,
|
||||
}),
|
||||
headers=[
|
||||
('Content-Type', 'application/json'),
|
||||
create_admin_authorization_header(),
|
||||
],
|
||||
)
|
||||
assert resp.status_code == expected_status
|
||||
|
||||
|
||||
@freeze_time('2020-04-01 12:00')
|
||||
@pytest.mark.parametrize('code_type', [EMAIL_TYPE, SMS_TYPE])
|
||||
def test_user_verify_code_expired_code_and_increments_failed_login_count(code_type, admin_request, sample_user):
|
||||
@@ -247,7 +272,7 @@ def test_send_sms_code_returns_404_for_bad_input_data(client):
|
||||
|
||||
|
||||
def test_send_sms_code_returns_204_when_too_many_codes_already_created(client, sample_user):
|
||||
for _ in range(10):
|
||||
for _ in range(5):
|
||||
verify_code = VerifyCode(
|
||||
code_type='sms',
|
||||
_code=12345,
|
||||
@@ -257,14 +282,14 @@ def test_send_sms_code_returns_204_when_too_many_codes_already_created(client, s
|
||||
)
|
||||
db.session.add(verify_code)
|
||||
db.session.commit()
|
||||
assert VerifyCode.query.count() == 10
|
||||
assert VerifyCode.query.count() == 5
|
||||
auth_header = create_admin_authorization_header()
|
||||
resp = client.post(
|
||||
url_for('user.send_user_2fa_code', code_type='sms', user_id=sample_user.id),
|
||||
data=json.dumps({}),
|
||||
headers=[('Content-Type', 'application/json'), auth_header])
|
||||
assert resp.status_code == 204
|
||||
assert VerifyCode.query.count() == 10
|
||||
assert VerifyCode.query.count() == 5
|
||||
|
||||
|
||||
def test_send_new_user_email_verification(client,
|
||||
|
||||
Reference in New Issue
Block a user