rack-attack 6.6.1 → 6.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '0399127f00624959bafee349ab2e6010acda84373c3df24ff18c3ff701a6c274'
-  data.tar.gz: 88bbb4465f8b7ecd0f82d9ad7217a66da96bb829c6982b0151ea2c19b5bba3c5
+  metadata.gz: cca196b4f54fee6e576f7afd081dcc0311c25f2a9705a498bf5c319ec27a0d79
+  data.tar.gz: c758c6d6c9a10eac5ae1b20b1d501c3f9ded73d1c2dd77777a57a1727addf0fa
 SHA512:
-  metadata.gz: 5a4d3d278b7c814c909ae0e01128f076f2ffcda003a56f688d803ccdfc5f72eeaa6c60412dc8e06769026f407860ac1259668fc61c0e87f1ef7a03434e17d982
-  data.tar.gz: 492e4659338b489d9fcdc3bd315148ec2e1802c6197ce4dc5d7eaf598c918866468387d1a2346bfc30c454605aeaa59aa7d9a4e50bdc08910b24a72c681053dc
+  metadata.gz: 4f8a0c70cb9744d842786b4960d9ec82f971c54a2fa4c036c44919be5695310cb192f22fa5910edd187f1655e537e894f092db0b16bda41744ecac2cde9e1bb3
+  data.tar.gz: 6e999c3c981c90130aac0bffddd69feb09ff480cd1b791dea33f580080a2cf7ffc4e4949c93ec2e4dfe61dd1cdd957291e7893c0ca2b879b2092ac6984a45169

data/README.md

@@ -11,7 +11,6 @@ See the [Backing & Hacking blog post](https://www.kickstarter.com/backing-and-ha
 
 [![Gem Version](https://badge.fury.io/rb/rack-attack.svg)](https://badge.fury.io/rb/rack-attack)
 [![build](https://github.com/rack/rack-attack/actions/workflows/build.yml/badge.svg)](https://github.com/rack/rack-attack/actions/workflows/build.yml)
-[![Code Climate](https://codeclimate.com/github/kickstarter/rack-attack.svg)](https://codeclimate.com/github/kickstarter/rack-attack)
 [![Join the chat at https://gitter.im/rack-attack/rack-attack](https://badges.gitter.im/rack-attack/rack-attack.svg)](https://gitter.im/rack-attack/rack-attack)
 
 ## Table of contents
@@ -56,7 +55,7 @@ Add this line to your application's Gemfile:
 ```ruby
 # In your Gemfile
 
-gem 'rack-attack'
+gem "rack-attack", "~> 6.8"
 ```
 
 And then execute:
@@ -291,7 +290,7 @@ Rack::Attack.track("special_agent", limit: 6, period: 60) do |req|
 end
 
 # Track it using ActiveSupport::Notification
-ActiveSupport::Notifications.subscribe("track.rack_attack") do |name, start, finish, request_id, payload|
+ActiveSupport::Notifications.subscribe("track.rack_attack") do |name, start, finish, instrumenter_id, payload|
   req = payload[:request]
   if req.env['rack.attack.matched'] == "special_agent"
     Rails.logger.info "special_agent: #{req.path}"
@@ -302,13 +301,18 @@ end
 
 ### Cache store configuration
 
-Throttle, allow2ban and fail2ban state is stored in a configurable cache (which defaults to `Rails.cache` if present), presumably backed by memcached or redis ([at least gem v3.0.0](https://rubygems.org/gems/redis)).
+Throttle, track, allow2ban and fail2ban state is stored in a configurable cache (which defaults to `Rails.cache` if present), presumably backed by memcached or redis ([at least gem v3.0.0](https://rubygems.org/gems/redis)).
 
 ```ruby
-Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new # defaults to Rails.cache
+# This is the default
+Rack::Attack.cache.store = Rails.cache 
+# It is recommended to use a separate database for throttling/allow2ban/fail2ban.
+Rack::Attack.cache.store = ActiveSupport::Cache::RedisCacheStore.new(url: "...") 
 ```
 
-Note that `Rack::Attack.cache` is only used for throttling, allow2ban and fail2ban filtering; not blocklisting and safelisting. Your cache store must implement `increment` and `write` like [ActiveSupport::Cache::Store](http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html).
+Most applications should use a new, separate database used only for `rack-attack`. During an actual attack or periods of heavy load, this database will come under heavy load. Keeping it on a separate database instance will give you additional resilience and make sure that other functions (like caching for your application) don't go down.
+
+Note that `Rack::Attack.cache` is only used for throttling, allow2ban and fail2ban filtering; not blocklisting and safelisting. Your cache store must implement `increment` and `write` like [ActiveSupport::Cache::Store](http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html). This means that other cache stores which inherit from ActiveSupport::Cache::Store are also compatible. In-memory stores which are not backed by an external database, such as `ActiveSupport::Cache::MemoryStore.new`, will be mostly ineffective because each Ruby process in your deployment will have it's own state, effectively multiplying the number of requests each client can make by the number of Ruby processes you have deployed.
 
 ## Customizing responses
 
@@ -378,7 +382,7 @@ To get notified about specific type of events, subscribe to the event name follo
 E.g. for throttles use:
 
 ```ruby
-ActiveSupport::Notifications.subscribe("throttle.rack_attack") do |name, start, finish, request_id, payload|
+ActiveSupport::Notifications.subscribe("throttle.rack_attack") do |name, start, finish, instrumenter_id, payload|
   # request object available in payload[:request]
 
   # Your code here
@@ -388,7 +392,7 @@ end
 If you want to subscribe to every `rack_attack` event, use:
 
 ```ruby
-ActiveSupport::Notifications.subscribe(/rack_attack/) do |name, start, finish, request_id, payload|
+ActiveSupport::Notifications.subscribe(/rack_attack/) do |name, start, finish, instrumenter_id, payload|
   # request object available in payload[:request]
 
   # Your code here

data/lib/rack/attack/base_proxy.rb

@@ -11,6 +11,7 @@ module Rack
         end
 
         def inherited(klass)
+          super
           proxies << klass
         end
 

data/lib/rack/attack/cache.rb

@@ -6,8 +6,14 @@ module Rack
       attr_accessor :prefix
       attr_reader :last_epoch_time
 
-      def initialize
-        self.store = ::Rails.cache if defined?(::Rails.cache)
+      def self.default_store
+        if Object.const_defined?(:Rails) && Rails.respond_to?(:cache)
+          ::Rails.cache
+        end
+      end
+
+      def initialize(store: self.class.default_store)
+        self.store = store
         @prefix = 'rack::attack'
       end
 
@@ -49,7 +55,7 @@ module Rack
 
       def reset!
         if store.respond_to?(:delete_matched)
-          store.delete_matched("#{prefix}*")
+          store.delete_matched(/#{prefix}*/)
         else
           raise(
             Rack::Attack::IncompatibleStoreError,
@@ -62,7 +68,7 @@ module Rack
 
       def key_and_expiry(unprefixed_key, period)
         @last_epoch_time = Time.now.to_i
-        # Add 1 to expires_in to avoid timing error: https://git.io/i1PHXA
+        # Add 1 to expires_in to avoid timing error: https://github.com/rack/rack-attack/pull/85
         expires_in = (period - (@last_epoch_time % period) + 1).to_i
         ["#{prefix}:#{(@last_epoch_time / period).to_i}:#{unprefixed_key}", expires_in]
       end

data/lib/rack/attack/configuration.rb

@@ -19,7 +19,7 @@ module Rack
         end
       end
 
-      attr_reader :safelists, :blocklists, :throttles, :anonymous_blocklists, :anonymous_safelists
+      attr_reader :safelists, :blocklists, :throttles, :tracks, :anonymous_blocklists, :anonymous_safelists
       attr_accessor :blocklisted_responder, :throttled_responder, :throttled_response_retry_after_header
 
       attr_reader :blocklisted_response, :throttled_response # Keeping these for backwards compatibility
@@ -61,11 +61,15 @@ module Rack
       end
 
       def blocklist_ip(ip_address)
-        @anonymous_blocklists << Blocklist.new { |request| IPAddr.new(ip_address).include?(IPAddr.new(request.ip)) }
+        @anonymous_blocklists << Blocklist.new do |request|
+          request.ip && !request.ip.empty? && IPAddr.new(ip_address).include?(IPAddr.new(request.ip))
+        end
       end
 
       def safelist_ip(ip_address)
-        @anonymous_safelists << Safelist.new { |request| IPAddr.new(ip_address).include?(IPAddr.new(request.ip)) }
+        @anonymous_safelists << Safelist.new do |request|
+          request.ip && !request.ip.empty? && IPAddr.new(ip_address).include?(IPAddr.new(request.ip))
+        end
       end
 
       def throttle(name, options, &block)

data/lib/rack/attack/path_normalizer.rb

@@ -4,7 +4,9 @@ module Rack
   class Attack
     # When using Rack::Attack with a Rails app, developers expect the request path
     # to be normalized. In particular, trailing slashes are stripped.
-    # (See https://git.io/v0rrR for implementation.)
+    # (See
+    # https://github.com/rails/rails/blob/f8edd20/actionpack/lib/action_dispatch/journey/router/utils.rb#L5-L22
+    # for implementation.)
     #
     # Look for an ActionDispatch utility class that Rails folks would expect
     # to normalize request paths. If unavailable, use a fallback class that

data/lib/rack/attack/railtie.rb

@@ -1,5 +1,11 @@
 # frozen_string_literal: true
 
+begin
+  require 'rails/railtie'
+rescue LoadError
+  return
+end
+
 module Rack
   class Attack
     class Railtie < ::Rails::Railtie

data/lib/rack/attack/store_proxy/redis_cache_store_proxy.rb

@@ -10,17 +10,19 @@ module Rack
           store.class.name == "ActiveSupport::Cache::RedisCacheStore"
         end
 
-        def increment(name, amount = 1, **options)
-          # RedisCacheStore#increment ignores options[:expires_in].
-          #
-          # So in order to workaround this we use RedisCacheStore#write (which sets expiration) to initialize
-          # the counter. After that we continue using the original RedisCacheStore#increment.
-          if options[:expires_in] && !read(name)
-            write(name, amount, options)
+        if defined?(::ActiveSupport) && ::ActiveSupport::VERSION::MAJOR < 6
+          def increment(name, amount = 1, **options)
+            # RedisCacheStore#increment ignores options[:expires_in] in versions prior to 6.
+            #
+            # So in order to workaround this we use RedisCacheStore#write (which sets expiration) to initialize
+            # the counter. After that we continue using the original RedisCacheStore#increment.
+            if options[:expires_in] && !read(name)
+              write(name, amount, options)
 
-            amount
-          else
-            super
+              amount
+            else
+              super
+            end
           end
         end
 
@@ -31,6 +33,10 @@ module Rack
         def write(name, value, options = {})
           super(name, value, options.merge!(raw: true))
         end
+
+        def delete_matched(matcher, options = nil)
+          super(matcher.source, options)
+        end
       end
     end
   end

data/lib/rack/attack/store_proxy/redis_proxy.rb

@@ -45,11 +45,12 @@ module Rack
 
         def delete_matched(matcher, _options = nil)
           cursor = "0"
+          source = matcher.source
 
           rescuing do
             # Fetch keys in batches using SCAN to avoid blocking the Redis server.
             loop do
-              cursor, keys = scan(cursor, match: matcher, count: 1000)
+              cursor, keys = scan(cursor, match: source, count: 1000)
               del(*keys) unless keys.empty?
               break if cursor == "0"
             end

data/lib/rack/attack/throttle.rb

@@ -38,8 +38,9 @@ module Rack
           epoch_time: cache.last_epoch_time
         }
 
+        annotate_request_with_throttle_data(request, data)
+
         (count > current_limit).tap do |throttled|
-          annotate_request_with_throttle_data(request, data)
           if throttled
             annotate_request_with_matched_data(request, data)
             Rack::Attack.instrument(request)

data/lib/rack/attack/version.rb

@@ -2,6 +2,6 @@
 
 module Rack
   class Attack
-    VERSION = '6.6.1'
+    VERSION = '6.8.0'
   end
 end

data/lib/rack/attack.rb

@@ -11,15 +11,17 @@ require 'rack/attack/store_proxy/mem_cache_store_proxy'
 require 'rack/attack/store_proxy/redis_proxy'
 require 'rack/attack/store_proxy/redis_store_proxy'
 require 'rack/attack/store_proxy/redis_cache_store_proxy'
-require 'rack/attack/store_proxy/active_support_redis_store_proxy'
 
 require 'rack/attack/railtie' if defined?(::Rails)
 
 module Rack
   class Attack
     class Error < StandardError; end
+
     class MisconfiguredStoreError < Error; end
+
     class MissingStoreError < Error; end
+
     class IncompatibleStoreError < Error; end
 
     autoload :Check,                'rack/attack/check'

data/spec/acceptance/blocking_ip_spec.rb

@@ -3,6 +3,8 @@
 require_relative "../spec_helper"
 
 describe "Blocking an IP" do
+  let(:notifications) { [] }
+
   before do
     Rack::Attack.blocklist_ip("1.2.3.4")
   end
@@ -19,22 +21,25 @@ describe "Blocking an IP" do
     assert_equal 200, last_response.status
   end
 
-  it "notifies when the request is blocked" do
-    notified = false
-    notification_type = nil
+  it "succeeds if IP is missing" do
+    get "/", {}, "REMOTE_ADDR" => ""
+
+    assert_equal 200, last_response.status
+  end
 
+  it "notifies when the request is blocked" do
     ActiveSupport::Notifications.subscribe("blocklist.rack_attack") do |_name, _start, _finish, _id, payload|
-      notified = true
-      notification_type = payload[:request].env["rack.attack.match_type"]
+      notifications.push(payload)
     end
 
     get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
 
-    refute notified
+    assert notifications.empty?
 
     get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
 
-    assert notified
-    assert_equal :blocklist, notification_type
+    assert_equal 1, notifications.size
+    notification = notifications.pop
+    assert_equal :blocklist, notification[:request].env["rack.attack.match_type"]
   end
 end

data/spec/acceptance/blocking_spec.rb

@@ -3,6 +3,8 @@
 require_relative "../spec_helper"
 
 describe "#blocklist" do
+  let(:notifications) { [] }
+
   before do
     Rack::Attack.blocklist do |request|
       request.ip == "1.2.3.4"
@@ -22,27 +24,26 @@ describe "#blocklist" do
   end
 
   it "notifies when the request is blocked" do
-    notification_matched = nil
-    notification_type = nil
-
     ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, payload|
-      notification_matched = payload[:request].env["rack.attack.matched"]
-      notification_type = payload[:request].env["rack.attack.match_type"]
+      notifications.push(payload)
     end
 
     get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
 
-    assert_nil notification_matched
-    assert_nil notification_type
+    assert notifications.empty?
 
     get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
 
-    assert_nil notification_matched
-    assert_equal :blocklist, notification_type
+    assert_equal 1, notifications.size
+    notification = notifications.pop
+    assert_nil notification[:request].env["rack.attack.matched"]
+    assert_equal :blocklist, notification[:request].env["rack.attack.match_type"]
   end
 end
 
 describe "#blocklist with name" do
+  let(:notifications) { [] }
+
   before do
     Rack::Attack.blocklist("block 1.2.3.4") do |request|
       request.ip == "1.2.3.4"
@@ -62,22 +63,19 @@ describe "#blocklist with name" do
   end
 
   it "notifies when the request is blocked" do
-    notification_matched = nil
-    notification_type = nil
-
     ActiveSupport::Notifications.subscribe("blocklist.rack_attack") do |_name, _start, _finish, _id, payload|
-      notification_matched = payload[:request].env["rack.attack.matched"]
-      notification_type = payload[:request].env["rack.attack.match_type"]
+      notifications.push(payload)
     end
 
     get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
 
-    assert_nil notification_matched
-    assert_nil notification_type
+    assert notifications.empty?
 
     get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
 
-    assert_equal "block 1.2.3.4", notification_matched
-    assert_equal :blocklist, notification_type
+    assert_equal 1, notifications.size
+    notification = notifications.pop
+    assert_equal "block 1.2.3.4", notification[:request].env["rack.attack.matched"]
+    assert_equal :blocklist, notification[:request].env["rack.attack.match_type"]
   end
 end

data/spec/acceptance/blocking_subnet_spec.rb

@@ -3,6 +3,8 @@
 require_relative "../spec_helper"
 
 describe "Blocking an IP subnet" do
+  let(:notifications) { [] }
+
   before do
     Rack::Attack.blocklist_ip("1.2.3.4/31")
   end
@@ -26,21 +28,18 @@ describe "Blocking an IP subnet" do
   end
 
   it "notifies when the request is blocked" do
-    notified = false
-    notification_type = nil
-
     ActiveSupport::Notifications.subscribe("blocklist.rack_attack") do |_name, _start, _finish, _id, payload|
-      notified = true
-      notification_type = payload[:request].env["rack.attack.match_type"]
+      notifications.push(payload)
     end
 
     get "/", {}, "REMOTE_ADDR" => "5.6.7.8"
 
-    refute notified
+    assert notifications.empty?
 
     get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
 
-    assert notified
-    assert_equal :blocklist, notification_type
+    assert_equal 1, notifications.size
+    notification = notifications.pop
+    assert_equal :blocklist, notification[:request].env["rack.attack.match_type"]
   end
 end

data/spec/acceptance/cache_store_config_for_allow2ban_spec.rb

@@ -12,9 +12,11 @@ describe "Cache store config when using allow2ban" do
     end
   end
 
-  it "gives semantic error if no store was configured" do
-    assert_raises(Rack::Attack::MissingStoreError) do
-      get "/scarce-resource"
+  unless defined?(Rails)
+    it "gives semantic error if no store was configured" do
+      assert_raises(Rack::Attack::MissingStoreError) do
+        get "/scarce-resource"
+      end
     end
   end
 

data/spec/acceptance/cache_store_config_for_fail2ban_spec.rb

@@ -12,9 +12,11 @@ describe "Cache store config when using fail2ban" do
     end
   end
 
-  it "gives semantic error if no store was configured" do
-    assert_raises(Rack::Attack::MissingStoreError) do
-      get "/private-place"
+  unless defined?(Rails)
+    it "gives semantic error if no store was configured" do
+      assert_raises(Rack::Attack::MissingStoreError) do
+        get "/private-place"
+      end
     end
   end
 
@@ -79,7 +81,7 @@ describe "Cache store config when using fail2ban" do
   end
 
   it "works with any object that responds to #read, #write and #increment" do
-    FakeStore = Class.new do
+    fake_store_class = Class.new do
       attr_accessor :backend
 
       def initialize
@@ -100,7 +102,7 @@ describe "Cache store config when using fail2ban" do
       end
     end
 
-    Rack::Attack.cache.store = FakeStore.new
+    Rack::Attack.cache.store = fake_store_class.new
 
     get "/"
     assert_equal 200, last_response.status

data/spec/acceptance/cache_store_config_for_throttle_spec.rb

@@ -9,9 +9,11 @@ describe "Cache store config when throttling without Rails" do
     end
   end
 
-  it "gives semantic error if no store was configured" do
-    assert_raises(Rack::Attack::MissingStoreError) do
-      get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+  unless defined?(Rails)
+    it "gives semantic error if no store was configured" do
+      assert_raises(Rack::Attack::MissingStoreError) do
+        get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+      end
     end
   end
 

data/spec/acceptance/cache_store_config_with_rails_spec.rb

@@ -11,10 +11,12 @@ describe "Cache store config with Rails" do
     end
   end
 
-  it "fails when Rails.cache is not set" do
-    Object.stub_const(:Rails, OpenStruct.new(cache: nil)) do
-      assert_raises(Rack::Attack::MissingStoreError) do
-        get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+  unless defined?(Rails)
+    it "fails when Rails.cache is not set" do
+      Object.stub_const(:Rails, OpenStruct.new(cache: nil)) do
+        assert_raises(Rack::Attack::MissingStoreError) do
+          get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
+        end
       end
     end
   end

data/spec/acceptance/extending_request_object_spec.rb

@@ -4,10 +4,8 @@ require_relative "../spec_helper"
 
 describe "Extending the request object" do
   before do
-    class Rack::Attack::Request
-      def authorized?
-        env["APIKey"] == "private-secret"
-      end
+    Rack::Attack::Request.define_method :authorized? do
+      env["APIKey"] == "private-secret"
     end
 
     Rack::Attack.blocklist("unauthorized requests") do |request|
@@ -17,9 +15,7 @@ describe "Extending the request object" do
 
   # We don't want the extension to leak to other test cases
   after do
-    class Rack::Attack::Request
-      remove_method :authorized?
-    end
+    Rack::Attack::Request.undef_method :authorized?
   end
 
   it "forbids request if blocklist condition is true" do

data/spec/acceptance/fail2ban_spec.rb

@@ -4,6 +4,8 @@ require_relative "../spec_helper"
 require "timecop"
 
 describe "fail2ban" do
+  let(:notifications) { [] }
+
   before do
     Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
 
@@ -75,4 +77,44 @@ describe "fail2ban" do
       assert_equal 200, last_response.status
     end
   end
+
+  it "notifies when the request is blocked" do
+    ActiveSupport::Notifications.subscribe("rack.attack") do |_name, _start, _finish, _id, payload|
+      notifications.push(payload)
+    end
+
+    get "/"
+
+    assert_equal 200, last_response.status
+    assert notifications.empty?
+
+    get "/private-place"
+
+    assert_equal 403, last_response.status
+    assert_equal 1, notifications.size
+    notification = notifications.pop
+    assert_equal 'fail2ban pentesters', notification[:request].env["rack.attack.matched"]
+    assert_equal :blocklist, notification[:request].env["rack.attack.match_type"]
+
+    get "/"
+
+    assert_equal 200, last_response.status
+    assert notifications.empty?
+
+    get "/private-place"
+
+    assert_equal 403, last_response.status
+    assert_equal 1, notifications.size
+    notification = notifications.pop
+    assert_equal 'fail2ban pentesters', notification[:request].env["rack.attack.matched"]
+    assert_equal :blocklist, notification[:request].env["rack.attack.match_type"]
+
+    get "/"
+
+    assert_equal 403, last_response.status
+    assert_equal 1, notifications.size
+    notification = notifications.pop
+    assert_equal 'fail2ban pentesters', notification[:request].env["rack.attack.matched"]
+    assert_equal :blocklist, notification[:request].env["rack.attack.match_type"]
+  end
 end

data/spec/acceptance/rails_middleware_spec.rb

@@ -2,7 +2,7 @@
 
 require_relative "../spec_helper"
 
-if defined?(Rails)
+if defined?(Rails::Application)
   describe "Middleware for Rails" do
     before do
       @app = Class.new(Rails::Application) do

data/spec/acceptance/safelisting_ip_spec.rb

@@ -3,6 +3,8 @@
 require_relative "../spec_helper"
 
 describe "Safelist an IP" do
+  let(:notifications) { [] }
+
   before do
     Rack::Attack.blocklist("admin") do |request|
       request.path == "/admin"
@@ -17,6 +19,12 @@ describe "Safelist an IP" do
     assert_equal 403, last_response.status
   end
 
+  it "forbids request if blocklist condition is true and safelist is false (missing IP)" do
+    get "/admin", {}, "REMOTE_ADDR" => ""
+
+    assert_equal 403, last_response.status
+  end
+
   it "succeeds if blocklist condition is false and safelist is false" do
     get "/", {}, "REMOTE_ADDR" => "1.2.3.4"
 
@@ -36,15 +44,15 @@ describe "Safelist an IP" do
   end
 
   it "notifies when the request is safe" do
-    notification_type = nil
-
     ActiveSupport::Notifications.subscribe("safelist.rack_attack") do |_name, _start, _finish, _id, payload|
-      notification_type = payload[:request].env["rack.attack.match_type"]
+      notifications.push(payload)
     end
 
     get "/admin", {}, "REMOTE_ADDR" => "5.6.7.8"
 
     assert_equal 200, last_response.status
-    assert_equal :safelist, notification_type
+    assert_equal 1, notifications.size
+    notification = notifications.pop
+    assert_equal :safelist, notification[:request].env["rack.attack.match_type"]
   end
 end