From 092ab8ce06e1d0043ccaec576e6b6b4f1489f807 Mon Sep 17 00:00:00 2001 From: "Aaron K. Clark" Date: Tue, 19 May 2026 11:09:23 -0500 Subject: [PATCH] test(rate-limit): cover the req.socket.remoteAddress fallback branch MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #287 swapped the deprecated \`req.connection\` for \`req.socket\` in the rate-limit key generator's fallback path. The existing unit tests inject a plain { ip } object and never traverse the fallback, so the new accessor was technically untested. Add an explicit case that forces the fallback by passing { socket: { remoteAddress: ... } } without req.ip — the keygen should pick the socket address up and route it through the IPv6-aware helper. Test count: 760 → 761. Co-Authored-By: Claude Opus 4.7 (1M context) --- tests/unit/rate-limit-key.test.js | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tests/unit/rate-limit-key.test.js b/tests/unit/rate-limit-key.test.js index 6bab3be..c0da190 100644 --- a/tests/unit/rate-limit-key.test.js +++ b/tests/unit/rate-limit-key.test.js @@ -78,4 +78,17 @@ describe('keyByAuthKeyOrIp', () => { const b = keyByAuthKeyOrIp(fakeReq({ ip: '2001:db8:1234:5700::1' })); expect(a).not.toBe(b); }); + + test('falls back to req.socket.remoteAddress when req.ip is missing', () => { + // #287 swapped the deprecated req.connection for req.socket. + // Exercise the fallback explicitly: no authKey, no req.ip, but + // req.socket.remoteAddress is set — the keygen should pick it + // up and route it through the IPv6/IPv4-aware helper. + const req = { + get: () => undefined, + socket: { remoteAddress: '10.20.30.40' }, + }; + const k = keyByAuthKeyOrIp(req); + expect(k).toBe('ip:10.20.30.40'); + }); });