janpeter/Scrum4Me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(rate-limit): per-user mutation-rate-limiting (v1-readiness #3)

Browse source 
lib/rate-limit.ts: 11 nieuwe scope-configs + enforceUserRateLimit(scope, userId)
helper. Returnt { error, code: 429 } shape voor consistent foutbeleid.

Toegepast op de high-value mutation-paths:
- actions/pbis.ts createPbiAction
- actions/stories.ts createStoryAction
- actions/tasks.ts saveTask (alleen create-path) + createTaskAction
- actions/todos.ts createTodoAction
- actions/sprints.ts createSprintAction
- actions/products.ts createProductAction + createProductFormAction
- actions/api-tokens.ts createApiTokenAction
- actions/questions.ts answerQuestion
- actions/claude-jobs.ts enqueueClaudeJobAction + enqueueClaudeJobsBatchAction
- app/api/profile/avatar/route.ts POST
- app/api/stories/[id]/log/route.ts POST

Limits zijn ruim genoeg voor normaal gebruik, eng genoeg voor abuse-loops:
create-task 100/min, create-todo 60/min, create-pbi 30/min, create-product
5/min, create-token 10/uur, etc. Per-user scope (geen globale block).

Niet aangeraakt: reorder/status-toggle (intra-session frequent, lage abuse),
update/delete (laag-volume), cron-routes (CRON_SECRET-gated).

Consumer-tweaks: 'success' in result narrowing waar TS de bredere union niet
meer accepteerde. Tests: 9 nieuwe op rate-limit-helper.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Janpeter Visser 2026-05-04 13:48:59 +02:00
parent 43778e3bcb
commit a0a10001d5
16 changed files with 175 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

17
docs/plans/v1-readiness.md
View file

@ -21,6 +21,8 @@ De kernfunctionaliteit (auth, producten, PBI/story/task-hiërarchie, sprints, so
## What's already done
- **#3 Rate-limiting op alle mutation-endpoints** — `enforceUserRateLimit(scope, userId)` helper in `lib/rate-limit.ts` met 11 nieuwe scopes; toegepast op create-actions (PBI/Story/Task/Todo/Sprint/Product/Token), enqueueClaudeJob(s), answerQuestion, en API-routes (story log POST, avatar upload). Limits zijn ruim genoeg voor normaal gebruik, eng genoeg om abuse-loops te stoppen
- **#2 Sentry error-monitoring** — `@sentry/nextjs` geconfigureerd via PR [#85](https://github.com/madhura68/Scrum4Me/pull/85); SDK is no-op zonder DSN, activatie via Vercel env-vars
- **#1 Edit-icoon op Product** (todo `cmoq3ox51`) — pencil-icoon op dashboard-card via PR [#83](https://github.com/madhura68/Scrum4Me/pull/83); product-detail-header behoudt tekst
- v0.9.0 ([release](https://github.com/madhura68/Scrum4Me/releases/tag/v0.9.0)): mobile-shell met landscape-lock (PBI-11, 7 stories, 21 tasks)
- v0.4.0 t/m v0.8.x: ondermeer sprint-screen filter-popover + edit-iconen, PBI/story/task edit-icons, code-velden verplicht, demo read-only, M11 Claude-vragen-kanaal, M10 QR-pairing
@ -49,14 +51,9 @@ Concreet:
- Sample-rate conservatief (10% performance, 100% errors) — Hobby-plan-vriendelijk
- Bevestig dat Postgres-LISTEN/NOTIFY-fouten in worker-routes (`/api/realtime/*`) gevangen worden
### 3. Rate-limiting op alle mutation-endpoints
### 3. ~~Rate-limiting op alle mutation-endpoints~~ ✅ klaar
Nu enkel op `loginAction` en `/api/auth/pair/start` (zie [`actions/auth.ts`](../../actions/auth.ts) en [`app/api/auth/pair/start/route.ts`](../../app/api/auth/pair/start/route.ts)). Voor v1 met externe MCP-integratie is breder coverage nodig.
Concreet:
- Inventariseer alle Server Actions + API-routes die schrijven (Prisma `create/update/delete/upsert`)
- Wikkel `checkRateLimit` per gebruiker (al beschikbaar in [`lib/rate-limit.ts`](../../lib/rate-limit.ts)) om de zware ones — task-create, story-create, claude-question-create, todo-create
- Per-IP fallback voor anonymous-paths
Verschoven naar *What's already done*. Helper `enforceUserRateLimit(scope, userId)` in `lib/rate-limit.ts` toegepast op alle high-value create-paths.
### 4. Accessibility audit op happy-path
@ -125,9 +122,9 @@ Bewust uit scope voor v1 (uit functional spec § Expliciet buiten scope) — of
## Priority order (quick reference)
```
Now: 1. Edit-icoon op Product (UI-gat)
2. Sentry/error-monitoring
3. Rate-limiting op mutation-endpoints
Now: ~~1. Edit-icoon op Product~~
~~2. Sentry/error-monitoring~~ ✅
~~3. Rate-limiting op mutation-endpoints~~ ✅
4. Accessibility-audit (Lighthouse a11y ≥95)
Next: 5. Backlog-index.md sync