diff --git a/app/controllers/join_codes_controller.rb b/app/controllers/join_codes_controller.rb index 8bd67c9dc..f2ec2588c 100644 --- a/app/controllers/join_codes_controller.rb +++ b/app/controllers/join_codes_controller.rb @@ -1,5 +1,6 @@ class JoinCodesController < ApplicationController allow_unauthenticated_access + rate_limit to: 10, within: 3.minutes, only: :create, with: -> { head :too_many_requests } before_action :set_join_code before_action :ensure_join_code_is_valid diff --git a/test/controllers/join_codes_controller_test.rb b/test/controllers/join_codes_controller_test.rb index 415bde3e5..81a4ea6ea 100644 --- a/test/controllers/join_codes_controller_test.rb +++ b/test/controllers/join_codes_controller_test.rb @@ -94,4 +94,12 @@ class JoinCodesControllerTest < ActionDispatch::IntegrationTest assert_response :unprocessable_entity end end + + test "create is rate limited" do + Rails.cache.stubs(:increment).returns(11) + + post join_path(code: @join_code.code, script_name: @account.slug), params: { email_address: "test@example.com" } + + assert_response :too_many_requests + end end