test(auth): 测试号豁免发码限流的回归测试

锁定「测试号(.env TEST_ACCOUNT_PHONE)不受 /sms/send 设备限流约束」——
防有人把发码限流挪到测试账号 early-return 之前,把 QA 联调也风控了。

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
zzhyyyyy
2026-06-26 12:40:58 +08:00
parent 9ff91b81ee
commit 5b74a8507d
+23
View File
@@ -167,6 +167,29 @@ def test_exempt_from_device_ip_login_rate_limit(client, enabled, monkeypatch) ->
)
def test_exempt_from_device_ip_send_rate_limit(client, enabled, monkeypatch) -> None:
"""测试号豁免 (设备+IP) 每小时**发码**限流(与登录那道同样靠早返回豁免)。
普通设备同设备到 SMS_SEND_MAX_PER_HOUR_PER_DEVICE 次发码即被拦(见 test_auth.test_sms_send_device_ip_rate_limit);
测试号发码本就短路(不真发)、且在限流之前早返回 → 同一设备连发远超上限仍全 200。
回归用:防有人把发码限流挪到测试账号 early-return 之前而把 QA 联调也风控了。"""
from app.api.v1 import auth
from app.core import ratelimit
monkeypatch.setattr(ratelimit.settings, "RATE_LIMIT_ENABLED", True)
monkeypatch.setattr(auth, "SMS_SEND_MAX_PER_HOUR_PER_DEVICE", 2) # 调小:不豁免的话第 3 次就该被拦
ratelimit._buckets.clear()
for i in range(auth.SMS_SEND_MAX_PER_HOUR_PER_DEVICE + 2):
r = client.post(
"/api/v1/auth/sms/send",
json={"phone": TEST_PHONE, "device_id": "dev-test-send"},
)
assert r.status_code == 200, (
f"测试号第 {i + 1} 次发码应放行(豁免每小时限流),实际 {r.status_code}: {r.text}"
)
# ============================ 计数单元逻辑 ============================
def test_quota_resets_across_day(enabled, monkeypatch) -> None: