From 7f13204c30cd32004cce9a62509134f0c40150f2 Mon Sep 17 00:00:00 2001
From: Jonathan Rochkind <jonathan@dnil.net>
Date: Tue, 25 Feb 2025 12:50:06 -0500
Subject: [PATCH] test for filter with immediate

---
 .../enforce_immediate_filter_spec.rb          | 40 +++++++++++++++++++
 .../controllers/dummy_immediate_controller.rb |  8 ++++
 spec/dummy/config/routes.rb                   |  1 +
 3 files changed, 49 insertions(+)
 create mode 100644 spec/controllers/enforce_immediate_filter_spec.rb
 create mode 100644 spec/dummy/app/controllers/dummy_immediate_controller.rb

diff --git a/spec/controllers/enforce_immediate_filter_spec.rb b/spec/controllers/enforce_immediate_filter_spec.rb
new file mode 100644
index 0000000..f48d6cb
--- /dev/null
+++ b/spec/controllers/enforce_immediate_filter_spec.rb
@@ -0,0 +1,40 @@
+require 'rails_helper'
+
+# We spec that the BotDetect filter is actually applying protection, as well as exempting what
+# we want
+describe DummyImmediateController, type: :controller do
+
+  # enable functionality, and reset config to fresh after any further changes
+  around(:each) do |example|
+    orig_config = BotChallengePage::BotChallengePageController.bot_challenge_config.dup
+    BotChallengePage::BotChallengePageController.bot_challenge_config.enabled = true
+
+    example.run
+
+    # reset config and  rack-attack back to orig config
+    BotChallengePage::BotChallengePageController.bot_challenge_config = orig_config
+    BotChallengePage::BotChallengePageController.rack_attack_init
+  end
+
+  describe "when rack key requests bot challenge on protected controller" do
+    it "redirects even with no ENV request" do
+      get :index
+
+      expect(response).to have_http_status(307)
+      expect(response).to redirect_to(bot_detect_challenge_path(dest: dummy_immediate_path))
+    end
+
+    # we configured this to try to exempt fetch/ajax to #facet
+    it "does not redirect if we have stored a pass in session" do
+      request.session[BotChallengePage::BotChallengePageController.bot_challenge_config.session_passed_key] = {
+          BotChallengePage::BotChallengePageController::SESSION_DATETIME_KEY => Time.now.utc.iso8601,
+          BotChallengePage::BotChallengePageController::SESSION_IP_KEY   => request.remote_ip
+      }
+
+      get :index
+
+      expect(response).to have_http_status(:success) # not a redirect
+      expect(response.body).to include "rendered action"
+    end
+  end
+end
diff --git a/spec/dummy/app/controllers/dummy_immediate_controller.rb b/spec/dummy/app/controllers/dummy_immediate_controller.rb
new file mode 100644
index 0000000..078bf0a
--- /dev/null
+++ b/spec/dummy/app/controllers/dummy_immediate_controller.rb
@@ -0,0 +1,8 @@
+class DummyImmediateController < ApplicationController
+  # with immediate:true
+  before_action { |controller| BotChallengePage::BotChallengePageController.bot_challenge_enforce_filter(controller, immediate: true) }
+
+  def index
+    render plain: "rendered action dummy"
+  end
+end
diff --git a/spec/dummy/config/routes.rb b/spec/dummy/config/routes.rb
index 7c3c361..18222b3 100644
--- a/spec/dummy/config/routes.rb
+++ b/spec/dummy/config/routes.rb
@@ -17,4 +17,5 @@
   post "/challenge", to: "bot_challenge_page/bot_challenge_page#verify_challenge"
 
   get "/dummy", to: "dummy#index", as: :dummy
+  get "/dummy_immediate", to: "dummy_immediate#index", as: :dummy_immediate
 end