janpeter/Scrum4Me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(rate-limit): per-user mutation-rate-limiting (v1-readiness #3)

Browse source 
lib/rate-limit.ts: 11 nieuwe scope-configs + enforceUserRateLimit(scope, userId)
helper. Returnt { error, code: 429 } shape voor consistent foutbeleid.

Toegepast op de high-value mutation-paths:
- actions/pbis.ts createPbiAction
- actions/stories.ts createStoryAction
- actions/tasks.ts saveTask (alleen create-path) + createTaskAction
- actions/todos.ts createTodoAction
- actions/sprints.ts createSprintAction
- actions/products.ts createProductAction + createProductFormAction
- actions/api-tokens.ts createApiTokenAction
- actions/questions.ts answerQuestion
- actions/claude-jobs.ts enqueueClaudeJobAction + enqueueClaudeJobsBatchAction
- app/api/profile/avatar/route.ts POST
- app/api/stories/[id]/log/route.ts POST

Limits zijn ruim genoeg voor normaal gebruik, eng genoeg voor abuse-loops:
create-task 100/min, create-todo 60/min, create-pbi 30/min, create-product
5/min, create-token 10/uur, etc. Per-user scope (geen globale block).

Niet aangeraakt: reorder/status-toggle (intra-session frequent, lage abuse),
update/delete (laag-volume), cron-routes (CRON_SECRET-gated).

Consumer-tweaks: 'success' in result narrowing waar TS de bredere union niet
meer accepteerde. Tests: 9 nieuwe op rate-limit-helper.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Janpeter Visser 2026-05-04 13:48:59 +02:00
parent 43778e3bcb
commit a0a10001d5
16 changed files with 175 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

4
actions/questions.ts
View file

@ -16,6 +16,7 @@ import { prisma } from '@/lib/prisma'
import { getSession } from '@/lib/auth'
import { productAccessFilter } from '@/lib/product-access'
import { answerQuestionSchema } from '@/lib/schemas/question-answer'
import { enforceUserRateLimit } from '@/lib/rate-limit'
type ActionResult = { ok: true } | { ok: false; error: string }
@ -27,6 +28,9 @@ export async function answerQuestion(
if (!session.userId) return { ok: false, error: 'Niet ingelogd' }
if (session.isDemo) return { ok: false, error: 'Niet beschikbaar in demo-modus' }
const limited = enforceUserRateLimit('answer-question', session.userId)
if (limited) return { ok: false, error: limited.error }
const parsed = answerQuestionSchema.safeParse({ questionId, answer })
if (!parsed.success) {
const first = parsed.error.issues[0]?.message ?? 'Ongeldige invoer'