feat(rate-limit): per-user mutation-rate-limiting (v1-readiness #3)
lib/rate-limit.ts: 11 nieuwe scope-configs + enforceUserRateLimit(scope, userId)
helper. Returnt { error, code: 429 } shape voor consistent foutbeleid.
Toegepast op de high-value mutation-paths:
- actions/pbis.ts createPbiAction
- actions/stories.ts createStoryAction
- actions/tasks.ts saveTask (alleen create-path) + createTaskAction
- actions/todos.ts createTodoAction
- actions/sprints.ts createSprintAction
- actions/products.ts createProductAction + createProductFormAction
- actions/api-tokens.ts createApiTokenAction
- actions/questions.ts answerQuestion
- actions/claude-jobs.ts enqueueClaudeJobAction + enqueueClaudeJobsBatchAction
- app/api/profile/avatar/route.ts POST
- app/api/stories/[id]/log/route.ts POST
Limits zijn ruim genoeg voor normaal gebruik, eng genoeg voor abuse-loops:
create-task 100/min, create-todo 60/min, create-pbi 30/min, create-product
5/min, create-token 10/uur, etc. Per-user scope (geen globale block).
Niet aangeraakt: reorder/status-toggle (intra-session frequent, lage abuse),
update/delete (laag-volume), cron-routes (CRON_SECRET-gated).
Consumer-tweaks: 'success' in result narrowing waar TS de bredere union niet
meer accepteerde. Tests: 9 nieuwe op rate-limit-helper.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
43778e3bcb
commit
a0a10001d5
16 changed files with 175 additions and 13 deletions
|
|
@ -12,6 +12,7 @@ import { taskSchema as sharedTaskSchema, type TaskInput } from '@/lib/schemas/ta
|
|||
import { updateTaskStatusWithStoryPromotion } from '@/lib/tasks-status-update'
|
||||
import { normalizeCode } from '@/lib/code'
|
||||
import { createWithCodeRetry, generateNextTaskCode, isCodeUniqueConflict } from '@/lib/code-server'
|
||||
import { enforceUserRateLimit } from '@/lib/rate-limit'
|
||||
|
||||
async function getSession() {
|
||||
return getIronSession<SessionData>(await cookies(), sessionOptions)
|
||||
|
|
@ -22,6 +23,7 @@ export type SaveTaskResult =
|
|||
| { ok: true; task: { id: string; title: string; status: string } }
|
||||
| { ok: false; code: 422; error: 'validation'; fieldErrors: Record<string, string[]> }
|
||||
| { ok: false; code: 403; error: 'demo_readonly' | 'forbidden' }
|
||||
| { ok: false; code: 429; error: 'rate_limited' }
|
||||
| { ok: false; code: 500; error: 'server_error' }
|
||||
|
||||
export type DeleteTaskResult =
|
||||
|
|
@ -39,6 +41,12 @@ export async function saveTask(
|
|||
if (!session.userId) return { ok: false, code: 403, error: 'forbidden' }
|
||||
if (session.isDemo) return { ok: false, code: 403, error: 'demo_readonly' }
|
||||
|
||||
// Rate-limit alleen op create-path; edits zijn laag-volume.
|
||||
if (!context.taskId) {
|
||||
const limited = enforceUserRateLimit('create-task', session.userId)
|
||||
if (limited) return { ok: false, code: 429, error: 'rate_limited' }
|
||||
}
|
||||
|
||||
const parsed = sharedTaskSchema.safeParse(input)
|
||||
if (!parsed.success) {
|
||||
return {
|
||||
|
|
@ -181,6 +189,9 @@ export async function createTaskAction(_prevState: unknown, formData: FormData)
|
|||
if (!session.userId) return { error: 'Niet ingelogd' }
|
||||
if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
|
||||
|
||||
const limited = enforceUserRateLimit('create-task', session.userId)
|
||||
if (limited) return limited
|
||||
|
||||
const storyId = formData.get('storyId') as string
|
||||
const sprintId = formData.get('sprintId') as string
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue