feat(rate-limit): per-user mutation-rate-limiting (v1-readiness #3)

lib/rate-limit.ts: 11 nieuwe scope-configs + enforceUserRateLimit(scope, userId) helper. Returnt { error, code: 429 } shape voor consistent foutbeleid. Toegepast op de high-value mutation-paths: - actions/pbis.ts createPbiAction - actions/stories.ts createStoryAction - actions/tasks.ts saveTask (alleen create-path) + createTaskAction - actions/todos.ts createTodoAction - actions/sprints.ts createSprintAction - actions/products.ts createProductAction + createProductFormAction - actions/api-tokens.ts createApiTokenAction - actions/questions.ts answerQuestion - actions/claude-jobs.ts enqueueClaudeJobAction + enqueueClaudeJobsBatchAction - app/api/profile/avatar/route.ts POST - app/api/stories/[id]/log/route.ts POST Limits zijn ruim genoeg voor normaal gebruik, eng genoeg voor abuse-loops: create-task 100/min, create-todo 60/min, create-pbi 30/min, create-product 5/min, create-token 10/uur, etc. Per-user scope (geen globale block). Niet aangeraakt: reorder/status-toggle (intra-session frequent, lage abuse), update/delete (laag-volume), cron-routes (CRON_SECRET-gated). Consumer-tweaks: 'success' in result narrowing waar TS de bredere union niet meer accepteerde. Tests: 9 nieuwe op rate-limit-helper. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 13:48:59 +02:00 · 2026-05-04 13:48:59 +02:00 · a0a10001d5
commit a0a10001d5
parent 43778e3bcb
16 changed files with 175 additions and 13 deletions
--- a/actions/api-tokens.ts
+++ b/actions/api-tokens.ts
@ -6,6 +6,7 @@ import { getIronSession } from 'iron-session'
 import { createHash, randomBytes } from 'crypto'
 import { prisma } from '@/lib/prisma'
 import { SessionData, sessionOptions } from '@/lib/session'
+import { enforceUserRateLimit } from '@/lib/rate-limit'

 async function getSession() {
  return getIronSession<SessionData>(await cookies(), sessionOptions)
@ -16,6 +17,9 @@ export async function createApiTokenAction(_prevState: unknown, formData: FormDa
  if (!session.userId) return { error: 'Niet ingelogd' }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

+  const limited = enforceUserRateLimit('create-token', session.userId)
+  if (limited) return limited
+
  const label = (formData.get('label') as string | null)?.trim() || null

  // Max 10 active tokens
--- a/actions/claude-jobs.ts
+++ b/actions/claude-jobs.ts
@ -5,6 +5,7 @@ import { prisma } from '@/lib/prisma'
 import { getSession } from '@/lib/auth'
 import { productAccessFilter } from '@/lib/product-access'
 import { ACTIVE_JOB_STATUSES, jobStatusToApi } from '@/lib/job-status'
+import { enforceUserRateLimit } from '@/lib/rate-limit'

 type EnqueueResult =
  | { success: true; jobId: string }
@ -34,6 +35,9 @@ export async function enqueueClaudeJobAction(taskId: string): Promise<EnqueueRes
  if (!session.userId) return { error: 'Niet ingelogd' }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

+  const limited = enforceUserRateLimit('enqueue-job', session.userId)
+  if (limited) return { error: limited.error }
+
  if (!taskId) return { error: 'task_id is verplicht' }

  // Resolve task + product access in one query
@ -225,6 +229,9 @@ export async function enqueueClaudeJobsBatchAction(
  if (!session.userId) return { error: 'Niet ingelogd' }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

+  const limited = enforceUserRateLimit('enqueue-job', session.userId)
+  if (limited) return { error: limited.error }
+
  if (!productId) return { error: 'product_id is verplicht' }
  if (!taskIds.length) return { success: true, count: 0 }

--- a/actions/pbis.ts
+++ b/actions/pbis.ts
@ -10,6 +10,7 @@ import { isValidCode, normalizeCode } from '@/lib/code'
 import { createWithCodeRetry, generateNextPbiCode } from '@/lib/code-server'
 import { pbiStatusFromApi } from '@/lib/task-status'
 import { createPbiSchema, updatePbiSchema } from '@/lib/schemas/pbi'
+import { enforceUserRateLimit } from '@/lib/rate-limit'

 async function getSession() {
  return getIronSession<SessionData>(await cookies(), sessionOptions)
@ -22,6 +23,9 @@ export async function createPbiAction(_prevState: unknown, formData: FormData) {
  if (!session.userId) return { error: 'Niet ingelogd', code: 403 }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus', code: 403 }

+  const limited = enforceUserRateLimit('create-pbi', session.userId)
+  if (limited) return limited
+
  const parsed = createPbiSchema.safeParse({
    productId: formData.get('productId'),
    code: (formData.get('code') as string) || undefined,
--- a/actions/products.ts
+++ b/actions/products.ts
@ -11,6 +11,7 @@ import { Role } from '@prisma/client'
 import { isValidCode, MAX_CODE_LENGTH, normalizeCode } from '@/lib/code'
 import { productAccessFilter } from '@/lib/product-access'
 import { productSchema as productInput, type ProductInput } from '@/lib/schemas/product'
+import { enforceUserRateLimit } from '@/lib/rate-limit'

 // Legacy FormData schema for ProductForm components (other constraints than dialog)
 const productFormDataSchema = z.object({
@ -49,6 +50,9 @@ export async function createProductAction(data: ProductInput): Promise<ProductAc
  if (!session.userId) return { error: 'Niet ingelogd', code: 403 }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus', code: 403 }

+  const limited = enforceUserRateLimit('create-product', session.userId)
+  if (limited) return limited
+
  const parsed = productInput.safeParse(data)
  if (!parsed.success) {
    return {
@ -159,6 +163,9 @@ export async function createProductFormAction(_prevState: unknown, formData: For
  if (!session.userId) return { error: 'Niet ingelogd' }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

+  const limited = enforceUserRateLimit('create-product', session.userId)
+  if (limited) return limited
+
  const parsed = productFormDataSchema.safeParse({
    name: formData.get('name'),
    code: (formData.get('code') as string) || undefined,
--- a/actions/questions.ts
+++ b/actions/questions.ts
@ -16,6 +16,7 @@ import { prisma } from '@/lib/prisma'
 import { getSession } from '@/lib/auth'
 import { productAccessFilter } from '@/lib/product-access'
 import { answerQuestionSchema } from '@/lib/schemas/question-answer'
+import { enforceUserRateLimit } from '@/lib/rate-limit'

 type ActionResult = { ok: true } | { ok: false; error: string }

@ -27,6 +28,9 @@ export async function answerQuestion(
  if (!session.userId) return { ok: false, error: 'Niet ingelogd' }
  if (session.isDemo) return { ok: false, error: 'Niet beschikbaar in demo-modus' }

+  const limited = enforceUserRateLimit('answer-question', session.userId)
+  if (limited) return { ok: false, error: limited.error }
+
  const parsed = answerQuestionSchema.safeParse({ questionId, answer })
  if (!parsed.success) {
    const first = parsed.error.issues[0]?.message ?? 'Ongeldige invoer'
--- a/actions/sprints.ts
+++ b/actions/sprints.ts
@ -11,6 +11,7 @@ import {
  updateSprintDatesSchema,
  updateSprintGoalSchema,
 } from '@/lib/schemas/sprint'
+import { enforceUserRateLimit } from '@/lib/rate-limit'

 async function getSession() {
  return getIronSession<SessionData>(await cookies(), sessionOptions)
@ -27,6 +28,9 @@ export async function createSprintAction(_prevState: unknown, formData: FormData
  if (!session.userId) return { error: 'Niet ingelogd', code: 403 }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus', code: 403 }

+  const limited = enforceUserRateLimit('create-sprint', session.userId)
+  if (limited) return limited
+
  const parsed = createSprintSchema.safeParse({
    productId: formData.get('productId'),
    sprint_goal: formData.get('sprint_goal'),
--- a/actions/stories.ts
+++ b/actions/stories.ts
@ -10,6 +10,7 @@ import { requireProductWriter } from '@/lib/auth'
 import { isValidCode, normalizeCode } from '@/lib/code'
 import { createWithCodeRetry, generateNextStoryCode } from '@/lib/code-server'
 import { createStorySchema, updateStorySchema } from '@/lib/schemas/story'
+import { enforceUserRateLimit } from '@/lib/rate-limit'

 async function getSession() {
  return getIronSession<SessionData>(await cookies(), sessionOptions)
@ -33,6 +34,9 @@ export async function createStoryAction(_prevState: unknown, formData: FormData)
  if (!session.userId) return { error: 'Niet ingelogd', code: 403 }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus', code: 403 }

+  const limited = enforceUserRateLimit('create-story', session.userId)
+  if (limited) return limited
+
  const parsed = createStorySchema.safeParse({
    pbiId: formData.get('pbiId'),
    productId: formData.get('productId'),
--- a/actions/tasks.ts
+++ b/actions/tasks.ts
@ -12,6 +12,7 @@ import { taskSchema as sharedTaskSchema, type TaskInput } from '@/lib/schemas/ta
 import { updateTaskStatusWithStoryPromotion } from '@/lib/tasks-status-update'
 import { normalizeCode } from '@/lib/code'
 import { createWithCodeRetry, generateNextTaskCode, isCodeUniqueConflict } from '@/lib/code-server'
+import { enforceUserRateLimit } from '@/lib/rate-limit'

 async function getSession() {
  return getIronSession<SessionData>(await cookies(), sessionOptions)
@ -22,6 +23,7 @@ export type SaveTaskResult =
  | { ok: true; task: { id: string; title: string; status: string } }
  | { ok: false; code: 422; error: 'validation'; fieldErrors: Record<string, string[]> }
  | { ok: false; code: 403; error: 'demo_readonly' | 'forbidden' }
+  | { ok: false; code: 429; error: 'rate_limited' }
  | { ok: false; code: 500; error: 'server_error' }

 export type DeleteTaskResult =
@ -39,6 +41,12 @@ export async function saveTask(
  if (!session.userId) return { ok: false, code: 403, error: 'forbidden' }
  if (session.isDemo) return { ok: false, code: 403, error: 'demo_readonly' }

+  // Rate-limit alleen op create-path; edits zijn laag-volume.
+  if (!context.taskId) {
+    const limited = enforceUserRateLimit('create-task', session.userId)
+    if (limited) return { ok: false, code: 429, error: 'rate_limited' }
+  }
+
  const parsed = sharedTaskSchema.safeParse(input)
  if (!parsed.success) {
    return {
@ -181,6 +189,9 @@ export async function createTaskAction(_prevState: unknown, formData: FormData)
  if (!session.userId) return { error: 'Niet ingelogd' }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

+  const limited = enforceUserRateLimit('create-task', session.userId)
+  if (limited) return limited
+
  const storyId = formData.get('storyId') as string
  const sprintId = formData.get('sprintId') as string

--- a/actions/todos.ts
+++ b/actions/todos.ts
@ -8,6 +8,7 @@ import { prisma } from '@/lib/prisma'
 import { SessionData, sessionOptions } from '@/lib/session'
 import { productAccessFilter } from '@/lib/product-access'
 import { generateNextPbiCode, generateNextStoryCode } from '@/lib/code-server'
+import { enforceUserRateLimit } from '@/lib/rate-limit'

 async function getSession() {
  return getIronSession<SessionData>(await cookies(), sessionOptions)
@ -18,6 +19,9 @@ export async function createTodoAction(_prevState: unknown, formData: FormData)
  if (!session.userId) return { error: 'Niet ingelogd' }
  if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }

+  const limited = enforceUserRateLimit('create-todo', session.userId)
+  if (limited) return limited
+
  const title = (formData.get('title') as string)?.trim()
  const description = (formData.get('description') as string)?.trim() || null
  const raw = (formData.get('productId') as string)?.trim()