testing/rate_limiting.ts

Rate limiting integration test suite.
Verifies that sensitive routes (login, bootstrap, token creation) enforce
rate limits when rate limiters are enabled. Tests create a tight rate limiter
(2 attempts / 1 minute) and fire requests until 429 is returned.
Consumers call describe_rate_limiting_tests with their route factory and
session config — rate limit enforcement tests come for free.

Declarations
#

2 declarations

view source

describe_rate_limiting_tests
#

testing/rate_limiting.ts view source

(options: RateLimitingTestOptions): void

Standard rate limiting integration test suite.
Creates 3 test groups:
1. IP rate limiting on login — fires max_attempts + 1 login requests,
   verifies the last returns 429 with a valid RateLimitError body.
2. Per-account rate limiting on login — fires max_attempts + 1 login
   requests with the same username, verifies the last returns 429.
3. Bearer auth IP rate limiting — fires max_attempts + 1 bearer requests
   with an invalid token, verifies the last returns 429.
Each test group asserts that required routes exist, failing with a descriptive
message if the consumer's route specs are misconfigured.

`options`

session config and route factory

type RateLimitingTestOptions

returns

void

RateLimitingTestOptions
#

testing/rate_limiting.ts view source

RateLimitingTestOptions

Configuration for describe_rate_limiting_tests.

`session_options`

Session config for cookie-based auth.

type SessionOptions<string>

`create_route_specs`

Route spec factory — same one used in production.

type (ctx: AppServerContext) => Array<RouteSpec>

`app_options`

Optional overrides for AppServerOptions.

type

Partial<
		Omit<AppServerOptions, 'backend' | 'session_options' | 'create_route_specs'>
	>

`db_factories`

Database factories to run tests against. Default: pglite only.

type Array<DbFactory>

`max_attempts`

Maximum attempts before rate limiting kicks in.
Default: 2 (tight limit for fast tests).

type number