janpeter/Scrum4Me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

M12 / ST-1110: Demo gebruiker read-only (#17)

Browse source 
* feat(ST-1110.3): add proxy.ts demo-guard for non-GET API routes

* feat(ST-1110.3+4): demo-guard proxy + block demo in QR-pairing

- proxy.ts: gebruik unsealData ipv getIronSession (middleware-compatibel)
- pair/start: isDemo-check via cookies() guard
- pair/claim: check pairing.user.is_demo na DB-read; 403 + clearPairCookie

* feat(ST-1110.5): unify demo write-button pattern to disabled+tooltip

Convert all !isDemo && <Button> patterns to <DemoTooltip show={isDemo}>
<Button disabled={isDemo}> so demo visitors see app capabilities.
Affects: pbi-list, story-panel, story-dialog, task-list, sprint-backlog,
token-manager, product-list, activate-product-button, leave-product-button,
settings page.

* test(ST-1110.6): proxy demo-guard coverage — 403 for demo+non-GET on /api/*

* docs(ST-1110.7): document three-layer demo-readonly policy and mirror plan
This commit is contained in:
Janpeter Visser 2026-04-29 18:44:14 +02:00 committed by GitHub
parent 8a9fb9d32b
commit 1cb5772edd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
19 changed files with 413 additions and 142 deletions
Download patch file Download diff file Expand all files Collapse all files

5
app/api/auth/pair/claim/route.ts
View file

@ -80,6 +80,11 @@ export async function POST(request: Request) {
return Response.json({ error: 'Pairing zonder user' }, { status: 500 })
}
if (pairing.user?.is_demo) {
await clearPairCookie()
return Response.json({ error: 'Niet beschikbaar in demo-modus' }, { status: 403 })
}
const session = await getIronSession<SessionData>(await cookies(), sessionOptions)
session.userId = pairing.user_id
session.isDemo = pairing.user?.is_demo ?? false

8
app/api/auth/pair/start/route.ts
View file

@ -9,6 +9,8 @@
//
// Rate-limit: 10 pogingen per IP per minuut (lib/rate-limit.ts → 'pair-start').
import { getIronSession } from 'iron-session'
import { cookies } from 'next/headers'
import { prisma } from '@/lib/prisma'
import {
generateMobileSecret,
@ -17,6 +19,7 @@ import {
} from '@/lib/auth/pairing'
import { setPairCookie } from '@/lib/auth/pair-cookie'
import { checkRateLimit } from '@/lib/rate-limit'
import { SessionData, sessionOptions } from '@/lib/session'
export const runtime = 'nodejs'
@ -34,6 +37,11 @@ function getClientIp(request: Request): string {
}
export async function POST(request: Request) {
const session = await getIronSession<SessionData>(await cookies(), sessionOptions)
if (session.isDemo) {
return Response.json({ error: 'Niet beschikbaar in demo-modus' }, { status: 403 })
}
const ip = getClientIp(request)
if (!checkRateLimit(`pair-start:${ip}`)) {
return Response.json(