Adriano/TieMeasureFlow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
86df67f2e5cc903dca55f4974ecf222212e77f32
TieMeasureFlow/client/tests/test_api_client_proxy.py
T
Adriano 86df67f2e5 perf: scale workers + per-tablet rate limiting for 20 concurrent users 
The default 2-worker gunicorn could only serve 2 concurrent tablet requests,
queueing the rest, and the rate limiter saw every tablet as the same Nginx
container IP, so 20 users would have collectively burned through the
100 req/min general bucket.

- gunicorn: 5 workers x 4 gthread, --forwarded-allow-ips=*, access log
- uvicorn: 4 workers, --proxy-headers, --forwarded-allow-ips=*
- RateLimitMiddleware: resolve real client IP from
  X-Forwarded-For -> X-Real-IP -> request.client.host
- Bump rate_limit_general 100 -> 300 req/min/IP (per tablet now)
- Flask: ProxyFix(x_for=1, x_proto=1, x_host=1) so request.remote_addr
  is the tablet IP, not the Nginx IP
- APIClient: forward X-Forwarded-For + X-Real-IP to FastAPI for both
  JSON and multipart/files calls; safe no-op outside request context
- 12 new tests (7 server + 5 client) covering header precedence,
  forwarding behavior and ProxyFix install

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 12:07:43 +02:00

71 lines
2.6 KiB
Python
Raw Blame History

"""Tests that APIClient forwards the real tablet IP via X-Forwarded-For."""
from unittest.mock import patch
from services.api_client import api_client
def _last_call_headers(mock):
"""Return the headers kwarg from the most recent requests.* call."""
return mock.call_args.kwargs["headers"]
def test_get_forwards_real_client_ip(flask_app):
with flask_app.test_request_context(
"/", environ_base={"REMOTE_ADDR": "203.0.113.10"}
):
with patch("services.api_client.requests.get") as mock_get:
mock_get.return_value.ok = True
mock_get.return_value.status_code = 200
mock_get.return_value.json.return_value = {}
api_client.get("/api/health")
headers = _last_call_headers(mock_get)
assert headers["X-Forwarded-For"] == "203.0.113.10"
assert headers["X-Real-IP"] == "203.0.113.10"
def test_post_json_forwards_real_client_ip(flask_app):
with flask_app.test_request_context(
"/", environ_base={"REMOTE_ADDR": "198.51.100.42"}
):
with patch("services.api_client.requests.post") as mock_post:
mock_post.return_value.ok = True
mock_post.return_value.status_code = 200
mock_post.return_value.json.return_value = {}
api_client.post("/api/foo", data={"x": 1})
headers = _last_call_headers(mock_post)
assert headers["X-Forwarded-For"] == "198.51.100.42"
def test_post_with_files_forwards_real_client_ip(flask_app):
with flask_app.test_request_context(
"/", environ_base={"REMOTE_ADDR": "198.51.100.77"}
):
with patch("services.api_client.requests.post") as mock_post:
mock_post.return_value.ok = True
mock_post.return_value.status_code = 200
mock_post.return_value.json.return_value = {}
api_client.post(
"/api/files/upload", data={}, files={"file": ("x.txt", b"data")}
)
headers = _last_call_headers(mock_post)
assert headers["X-Forwarded-For"] == "198.51.100.77"
assert headers["X-Real-IP"] == "198.51.100.77"
def test_real_client_ip_returns_none_outside_request_context(flask_app):
"""Background workers without a Flask request must NOT inject a fake IP."""
from services.api_client import APIClient
with flask_app.app_context():
assert APIClient._real_client_ip() is None
def test_proxy_fix_is_installed(flask_app):
"""ProxyFix must wrap wsgi_app so REMOTE_ADDR is rewritten in production."""
from werkzeug.middleware.proxy_fix import ProxyFix
assert isinstance(flask_app.wsgi_app, ProxyFix)
Reference in New Issue View Git Blame Copy Permalink