From 4850da6f56ebd4e2bb0656755a88d35a8ea1e2ec Mon Sep 17 00:00:00 2001 From: Gani Georgiev Date: Fri, 1 May 2026 19:32:00 +0300 Subject: [PATCH] adjusted flaky test --- .github/SECURITY.md | 2 +- apis/middlewares_rate_limit_test.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 77abbe3b..43226b5e 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -77,7 +77,7 @@ If someone is able to tamper with the OAuth2 responses then the entire OAuth2 fl This is a common and usually valid report but there is no easy solution without confusing and degrading the users experience. -Some endpoints, like the user create/register, can be used for username or emails enumeration based on various response heuristics - timing, specific error messages, etc. +Some endpoints, like the user create/register, can be used for usernames or emails enumeration based on various response heuristics - timing, specific error messages, etc. In many places where applicable we've tried to minimize the impact by using constant time checks, returning non-descriptive error messages, applying an internal rate limit for some operations, etc. but it is not bulletproof and if somebody wants to find out if a user is registered they will be able to do it one way or another. diff --git a/apis/middlewares_rate_limit_test.go b/apis/middlewares_rate_limit_test.go index cf4f3d00..307d8a9e 100644 --- a/apis/middlewares_rate_limit_test.go +++ b/apis/middlewares_rate_limit_test.go @@ -86,8 +86,8 @@ func TestDefaultRateLimitMiddleware(t *testing.T) { {"/rate/a", 0, false, 200}, {"/rate/a", 800, false, 200}, // (fixed window check) wait enough to ensure that it can't fit more than 2 requests in 1s - {"/rate/a", 500, false, 200}, - {"/rate/a", 800, false, 200}, + {"/rate/a", 600, false, 200}, + {"/rate/a", 850, false, 200}, {"/rate/a", 0, false, 200}, {"/rate/a", 0, false, 429}, {"/rate/a", 0, false, 429},