aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-19 06:54:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

POS: Fix throttling for unauthenticated users

Browse Source 
Fixes a regression introduced with d24adda700: The negation for the `_rateLimitService.Throttle` result was removed with that commit, which lead to all unauthenticated request getting throttled. (It was correctly implemented in #6415.

Fixes btcpayserver/app#131.
This commit is contained in:
Dennis Reimann
2024-12-09 17:40:29 +01:00
parent 1214367503
commit 4d38f91bd5
2 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
BTCPayServer.Tests/SeleniumTests.cs
View File

@@ -2903,6 +2903,16 @@ namespace BTCPayServer.Tests
// Unauthenticated user can't access recent transactions
s.GoToUrl(keypadUrl);
s.Driver.ElementDoesNotExist(By.Id("RecentTransactionsToggle"));
// But they can generate invoices
s.Driver.FindElement(By.CssSelector(".keypad [data-key='1']")).Click();
s.Driver.FindElement(By.CssSelector(".keypad [data-key='2']")).Click();
s.Driver.FindElement(By.CssSelector(".keypad [data-key='3']")).Click();
s.Driver.FindElement(By.Id("pay-button")).Click();
s.Driver.WaitUntilAvailable(By.Id("Checkout"));
s.Driver.FindElement(By.Id("DetailsToggle")).Click();
s.Driver.WaitForElement(By.Id("PaymentDetails-TotalFiat"));
Assert.Contains("1,23 €", s.Driver.FindElement(By.Id("PaymentDetails-TotalFiat")).Text);
}
[Fact]

4
BTCPayServer/Plugins/PointOfSale/Controllers/UIPointOfSaleController.cs
View File

@@ -430,9 +430,9 @@ namespace BTCPayServer.Plugins.PointOfSale.Controllers
}
private async Task<bool> Throttle(string appId) =>
!(await _authorizationService.AuthorizeAsync(HttpContext.User, appId, Policies.CanViewInvoices)).Succeeded &&
HttpContext.Connection is { RemoteIpAddress: { } addr } &&
await _rateLimitService.Throttle(ZoneLimits.PublicInvoices, addr.ToString(), HttpContext.RequestAborted) &&
!(await _authorizationService.AuthorizeAsync(HttpContext.User, appId, Policies.CanViewInvoices)).Succeeded;
!await _rateLimitService.Throttle(ZoneLimits.PublicInvoices, addr.ToString(), HttpContext.RequestAborted);
private JObject TryParseJObject(string posData)
{