Maybe/test/services/api_rate_limiter_test.rb

require "test_helper"

class ApiRateLimiterTest < ActiveSupport::TestCase
  setup do
    @user = users(:family_admin)
    # Destroy any existing active API keys for this user
    @user.api_keys.active.destroy_all

    @api_key = ApiKey.create!(
      user: @user,
      name: "Rate Limiter Test Key",
      scopes: [ "read" ],
      display_key: "rate_limiter_test_#{SecureRandom.hex(8)}"
    )
    @rate_limiter = ApiRateLimiter.new(@api_key)

    # Clear any existing rate limit data
    Redis.new.del("api_rate_limit:#{@api_key.id}")
  end

  teardown do
    # Clean up Redis data after each test
    Redis.new.del("api_rate_limit:#{@api_key.id}")
  end

  test "should have default rate limit" do
    assert_equal 100, @rate_limiter.rate_limit
  end

  test "should start with zero request count" do
    assert_equal 0, @rate_limiter.current_count
  end

  test "should not be rate limited initially" do
    assert_not @rate_limiter.rate_limit_exceeded?
  end

  test "should increment request count" do
    assert_equal 0, @rate_limiter.current_count

    @rate_limiter.increment_request_count!
    assert_equal 1, @rate_limiter.current_count

    @rate_limiter.increment_request_count!
    assert_equal 2, @rate_limiter.current_count
  end

  test "should be rate limited when exceeding limit" do
    # Simulate reaching the rate limit
    100.times { @rate_limiter.increment_request_count! }

    assert_equal 100, @rate_limiter.current_count
    assert @rate_limiter.rate_limit_exceeded?
  end

  test "should provide correct usage info" do
    5.times { @rate_limiter.increment_request_count! }

    usage_info = @rate_limiter.usage_info

    assert_equal 5, usage_info[:current_count]
    assert_equal 100, usage_info[:rate_limit]
    assert_equal 95, usage_info[:remaining]
    assert_equal :standard, usage_info[:tier]
    assert usage_info[:reset_time] > 0
    assert usage_info[:reset_time] <= 3600
  end

  test "should calculate remaining requests correctly" do
    10.times { @rate_limiter.increment_request_count! }

    usage_info = @rate_limiter.usage_info
    assert_equal 90, usage_info[:remaining]
  end

  test "should have zero remaining when at limit" do
    100.times { @rate_limiter.increment_request_count! }

    usage_info = @rate_limiter.usage_info
    assert_equal 0, usage_info[:remaining]
  end

  test "should have zero remaining when over limit" do
    105.times { @rate_limiter.increment_request_count! }

    usage_info = @rate_limiter.usage_info
    assert_equal 0, usage_info[:remaining]
  end

  test "class method usage_for should work without incrementing" do
    5.times { @rate_limiter.increment_request_count! }

    usage_info = ApiRateLimiter.usage_for(@api_key)
    assert_equal 5, usage_info[:current_count]

    # Should not increment when just checking usage
    usage_info_again = ApiRateLimiter.usage_for(@api_key)
    assert_equal 5, usage_info_again[:current_count]
  end

  test "should handle multiple API keys separately" do
    # Create a different user for the second API key
    other_user = users(:family_member)
    other_api_key = ApiKey.create!(
      user: other_user,
      name: "Other API Key",
      scopes: [ "read_write" ],
      display_key: "rate_limiter_other_#{SecureRandom.hex(8)}"
    )

    other_rate_limiter = ApiRateLimiter.new(other_api_key)

    @rate_limiter.increment_request_count!
    other_rate_limiter.increment_request_count!
    other_rate_limiter.increment_request_count!

    assert_equal 1, @rate_limiter.current_count
    assert_equal 2, other_rate_limiter.current_count
  ensure
    Redis.new.del("api_rate_limit:#{other_api_key.id}")
    other_api_key.destroy
  end

  test "should calculate reset time correctly" do
    reset_time = @rate_limiter.reset_time

    # Reset time should be within the current hour
    assert reset_time > 0
    assert reset_time <= 3600

    # Should be roughly the time until the next hour
    current_time = Time.current.to_i
    next_window = ((current_time / 3600) + 1) * 3600
    expected_reset = next_window - current_time

    assert_in_delta expected_reset, reset_time, 1
  end
end
Add comprehensive API v1 with OAuth and API key authentication (#2389) * OAuth * Add API test routes and update Doorkeeper token handling for test environment - Introduced API namespace with test routes for controller testing in the test environment. - Updated Doorkeeper configuration to allow fallback to plain tokens in the test environment for easier testing. - Modified schema to change resource_owner_id type from bigint to string. * Implement API key authentication and enhance access control - Replaced Doorkeeper OAuth authentication with a custom method supporting both OAuth and API keys in the BaseController. - Added methods for API key authentication, including validation and logging. - Introduced scope-based authorization for API keys in the TestController. - Updated routes to include API key management endpoints. - Enhanced logging for API access to include authentication method details. - Added tests for API key functionality, including validation, scope checks, and access control enforcement. * Add API key rate limiting and usage tracking - Implemented rate limiting for API key authentication in BaseController. - Added methods to check rate limits, render appropriate responses, and include rate limit headers in responses. - Updated routes to include a new usage resource for tracking API usage. - Enhanced tests to verify rate limit functionality, including exceeding limits and per-key tracking. - Cleaned up Redis data in tests to ensure isolation between test cases. * Add Jbuilder for JSON rendering and refactor AccountsController - Added Jbuilder gem for improved JSON response handling. - Refactored index action in AccountsController to utilize Jbuilder for rendering JSON. - Removed manual serialization of accounts and streamlined response structure. - Implemented a before_action in BaseController to enforce JSON format for all API requests. * Add transactions resource to API routes - Added routes for transactions, allowing index, show, create, update, and destroy actions. - This enhancement supports comprehensive transaction management within the API. * Enhance API authentication and onboarding handling - Updated BaseController to skip onboarding requirements for API endpoints and added manual token verification for OAuth authentication. - Improved error handling and logging for invalid access tokens. - Introduced a method to set up the current context for API requests, ensuring compatibility with session-like behavior. - Excluded API paths from onboarding redirects in the Onboardable concern. - Updated database schema to change resource_owner_id type from bigint to string for OAuth access grants. * Fix rubocop offenses - Fix indentation and spacing issues - Convert single quotes to double quotes - Add spaces inside array brackets - Fix comment alignment - Add missing trailing newlines - Correct else/end alignment 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix API test failures and improve test reliability - Fix ApiRateLimiterTest by removing mock users method and using fixtures - Fix UsageControllerTest by removing mock users method and using fixtures - Fix BaseControllerTest by using different users for multiple API keys - Use unique display_key values with SecureRandom to avoid conflicts - Fix double render issue in UsageController by returning after authorize_scope\! - Specify controller name in routes for usage resource - Remove trailing whitespace and empty lines per Rubocop All tests now pass and linting is clean. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add API transactions controller warning to brakeman ignore The account_id parameter in the API transactions controller is properly validated on line 79: family.accounts.find(transaction_params[:account_id]) This ensures users can only create transactions in accounts belonging to their family, making this a false positive. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Signed-off-by: Josh Pigford <josh@joshpigford.com> Co-authored-by: Claude <noreply@anthropic.com> 2025-06-17 15:57:05 -05:00			`require "test_helper"`

			`class ApiRateLimiterTest < ActiveSupport::TestCase`
			`setup do`
			`@user = users(:family_admin)`
			`# Destroy any existing active API keys for this user`
			`@user.api_keys.active.destroy_all`

			`@api_key = ApiKey.create!(`
			`user: @user,`
			`name: "Rate Limiter Test Key",`
			`scopes: [ "read" ],`
			`display_key: "rate_limiter_test_#{SecureRandom.hex(8)}"`
			`)`
			`@rate_limiter = ApiRateLimiter.new(@api_key)`

			`# Clear any existing rate limit data`
			`Redis.new.del("api_rate_limit:#{@api_key.id}")`
			`end`

			`teardown do`
			`# Clean up Redis data after each test`
			`Redis.new.del("api_rate_limit:#{@api_key.id}")`
			`end`

			`test "should have default rate limit" do`
			`assert_equal 100, @rate_limiter.rate_limit`
			`end`

			`test "should start with zero request count" do`
			`assert_equal 0, @rate_limiter.current_count`
			`end`

			`test "should not be rate limited initially" do`
			`assert_not @rate_limiter.rate_limit_exceeded?`
			`end`

			`test "should increment request count" do`
			`assert_equal 0, @rate_limiter.current_count`

			`@rate_limiter.increment_request_count!`
			`assert_equal 1, @rate_limiter.current_count`

			`@rate_limiter.increment_request_count!`
			`assert_equal 2, @rate_limiter.current_count`
			`end`

			`test "should be rate limited when exceeding limit" do`
			`# Simulate reaching the rate limit`
			`100.times { @rate_limiter.increment_request_count! }`

			`assert_equal 100, @rate_limiter.current_count`
			`assert @rate_limiter.rate_limit_exceeded?`
			`end`

			`test "should provide correct usage info" do`
			`5.times { @rate_limiter.increment_request_count! }`

			`usage_info = @rate_limiter.usage_info`

			`assert_equal 5, usage_info[:current_count]`
			`assert_equal 100, usage_info[:rate_limit]`
			`assert_equal 95, usage_info[:remaining]`
			`assert_equal :standard, usage_info[:tier]`
			`assert usage_info[:reset_time] > 0`
			`assert usage_info[:reset_time] <= 3600`
			`end`

			`test "should calculate remaining requests correctly" do`
			`10.times { @rate_limiter.increment_request_count! }`

			`usage_info = @rate_limiter.usage_info`
			`assert_equal 90, usage_info[:remaining]`
			`end`

			`test "should have zero remaining when at limit" do`
			`100.times { @rate_limiter.increment_request_count! }`

			`usage_info = @rate_limiter.usage_info`
			`assert_equal 0, usage_info[:remaining]`
			`end`

			`test "should have zero remaining when over limit" do`
			`105.times { @rate_limiter.increment_request_count! }`

			`usage_info = @rate_limiter.usage_info`
			`assert_equal 0, usage_info[:remaining]`
			`end`

			`test "class method usage_for should work without incrementing" do`
			`5.times { @rate_limiter.increment_request_count! }`

			`usage_info = ApiRateLimiter.usage_for(@api_key)`
			`assert_equal 5, usage_info[:current_count]`

			`# Should not increment when just checking usage`
			`usage_info_again = ApiRateLimiter.usage_for(@api_key)`
			`assert_equal 5, usage_info_again[:current_count]`
			`end`

			`test "should handle multiple API keys separately" do`
			`# Create a different user for the second API key`
			`other_user = users(:family_member)`
			`other_api_key = ApiKey.create!(`
			`user: other_user,`
			`name: "Other API Key",`
			`scopes: [ "read_write" ],`
			`display_key: "rate_limiter_other_#{SecureRandom.hex(8)}"`
			`)`

			`other_rate_limiter = ApiRateLimiter.new(other_api_key)`

			`@rate_limiter.increment_request_count!`
			`other_rate_limiter.increment_request_count!`
			`other_rate_limiter.increment_request_count!`

			`assert_equal 1, @rate_limiter.current_count`
			`assert_equal 2, other_rate_limiter.current_count`
			`ensure`
			`Redis.new.del("api_rate_limit:#{other_api_key.id}")`
			`other_api_key.destroy`
			`end`

			`test "should calculate reset time correctly" do`
			`reset_time = @rate_limiter.reset_time`

			`# Reset time should be within the current hour`
			`assert reset_time > 0`
			`assert reset_time <= 3600`

			`# Should be roughly the time until the next hour`
			`current_time = Time.current.to_i`
			`next_window = ((current_time / 3600) + 1) * 3600`
			`expected_reset = next_window - current_time`

			`assert_in_delta expected_reset, reset_time, 1`
			`end`
			`end`