Rate-limit shopkeeper sign-up to 10/IP/3min (#50)

* Rate-limit shopkeeper sign-up to 5/IP/hour

Mass account creation is currently only constrained by the broad
300/IP/5min rack-attack req/ip cap. Add an endpoint-specific limit
on POST /shopkeeper_auth using Rails 8's built-in
ActionController::RateLimiting: 5 requests per IP per hour. When
exceeded, render 429 with a localized JSON error.

Switch the test cache from :null_store to :memory_store so the
limiter's counters can persist within a request sequence
(:null_store no-ops increments). Clear Rails.cache in the standard
test setup so throttle state doesn't leak between tests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Tune sign-up rate limit to 10/3min (match jumpstart-pro reference)

Aligns with the reference codebase (jumpstart-pro-rails uses
`to: 10, within: 3.minutes` on user sign-up). The earlier 5/1.hour
was overly strict for legit users — a confused user with bad
password rules or autofill misfires could exhaust the quota and
get locked out for an hour. 10/3min absorbs realistic retry flows
while still constraining bots; per-IP limits are not the primary
defense against rotating-IP attackers anyway.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: dadachi

app/controllers/shopkeeper_auth/registrations_controller.rb

@@ -1,4 +1,10 @@
 class ShopkeeperAuth::RegistrationsController < DeviseTokenAuth::RegistrationsController
+  rate_limit to: 10, within: 3.minutes, only: :create,
+    with: -> {
+      render json: {code: 429, error_message: I18n.t("errors.messages.too_many_signups")},
+        status: :too_many_requests
+    }
+
   before_action :set_confirm_success_url, only: %i[create]
   before_action :configure_permitted_parameters
 

config/environments/test.rb

@@ -22,7 +22,9 @@
 
   # Show full error reports and disable caching.
   config.consider_all_requests_local = true
-  config.cache_store = :null_store
+  # Use memory store so ActionController::RateLimiting can persist counters
+  # between requests within a test; null_store would no-op the increments.
+  config.cache_store = :memory_store
 
   # Render exception templates for rescuable exceptions and raise for other exceptions.
   config.action_dispatch.show_exceptions = :rescuable

config/locales/en.yml

@@ -142,3 +142,4 @@ en:
       limit_count_shop: "You can create up to %{limit_count} shops across all organizations."
       limit_count_accounts_shopkeeper: "Organization members can be created up to %{limit_count}. Please contact the organization admin user or owner."
       limit_count_item_tag: "You can create up to %{limit_count} item tags."
+      too_many_signups: "Too many sign-up attempts. Please try again later."

test/integration/sign_up_throttle_test.rb

@@ -0,0 +1,29 @@
+require "test_helper"
+
+class SignUpThrottleTest < ActionDispatch::IntegrationTest
+  def post_sign_up(email)
+    post shopkeeper_registration_url,
+      params: {
+        name: "Throttle Test",
+        email: email,
+        password: "password",
+        password_confirmation: "password",
+        time_zone: "Tokyo",
+        current_platform: "ios"
+      },
+      as: :json
+  end
+
+  test "the eleventh sign-up from the same IP within the window is rate-limited" do
+    10.times do |i|
+      post_sign_up("throttle#{i}@example.com")
+      assert_not_equal 429, response.status, "request #{i + 1} should not be throttled"
+    end
+
+    post_sign_up("throttle10@example.com")
+
+    assert_response :too_many_requests
+    assert_equal 429, response.parsed_body["code"]
+    assert_equal I18n.t("errors.messages.too_many_signups"), response.parsed_body["error_message"]
+  end
+end

test/test_helper.rb

@@ -14,6 +14,7 @@ module ActiveSupport
   class TestCase
     setup do
       Dir[Rails.root.join("db", "fixtures", "test", "*.rb")].sort.each { |s| load s }
+      Rails.cache.clear
     end
 
     # Run tests in parallel with specified workers