janpeter/Scrum4Me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Scrum4Me/actions/api-tokens.ts
Madhura68 a0a10001d5 feat(rate-limit): per-user mutation-rate-limiting (v1-readiness #3) 
lib/rate-limit.ts: 11 nieuwe scope-configs + enforceUserRateLimit(scope, userId)
helper. Returnt { error, code: 429 } shape voor consistent foutbeleid.

Toegepast op de high-value mutation-paths:
- actions/pbis.ts createPbiAction
- actions/stories.ts createStoryAction
- actions/tasks.ts saveTask (alleen create-path) + createTaskAction
- actions/todos.ts createTodoAction
- actions/sprints.ts createSprintAction
- actions/products.ts createProductAction + createProductFormAction
- actions/api-tokens.ts createApiTokenAction
- actions/questions.ts answerQuestion
- actions/claude-jobs.ts enqueueClaudeJobAction + enqueueClaudeJobsBatchAction
- app/api/profile/avatar/route.ts POST
- app/api/stories/[id]/log/route.ts POST

Limits zijn ruim genoeg voor normaal gebruik, eng genoeg voor abuse-loops:
create-task 100/min, create-todo 60/min, create-pbi 30/min, create-product
5/min, create-token 10/uur, etc. Per-user scope (geen globale block).

Niet aangeraakt: reorder/status-toggle (intra-session frequent, lage abuse),
update/delete (laag-volume), cron-routes (CRON_SECRET-gated).

Consumer-tweaks: 'success' in result narrowing waar TS de bredere union niet
meer accepteerde. Tests: 9 nieuwe op rate-limit-helper.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 13:48:59 +02:00

64 lines
2 KiB
TypeScript
Raw Blame History

'use server'
import { revalidatePath } from 'next/cache'
import { cookies } from 'next/headers'
import { getIronSession } from 'iron-session'
import { createHash, randomBytes } from 'crypto'
import { prisma } from '@/lib/prisma'
import { SessionData, sessionOptions } from '@/lib/session'
import { enforceUserRateLimit } from '@/lib/rate-limit'
async function getSession() {
return getIronSession<SessionData>(await cookies(), sessionOptions)
}
export async function createApiTokenAction(_prevState: unknown, formData: FormData) {
const session = await getSession()
if (!session.userId) return { error: 'Niet ingelogd' }
if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
const limited = enforceUserRateLimit('create-token', session.userId)
if (limited) return limited
const label = (formData.get('label') as string | null)?.trim() || null
// Max 10 active tokens
const activeCount = await prisma.apiToken.count({
where: { user_id: session.userId, revoked_at: null },
})
if (activeCount >= 10) return { error: 'Maximaal 10 actieve tokens toegestaan' }
const rawToken = randomBytes(32).toString('hex')
const tokenHash = createHash('sha256').update(rawToken).digest('hex')
await prisma.apiToken.create({
data: {
user_id: session.userId,
token_hash: tokenHash,
label,
},
})
revalidatePath('/settings/tokens')
// Return the raw token once — it won't be retrievable later
return { success: true, token: rawToken }
}
export async function revokeApiTokenAction(id: string) {
const session = await getSession()
if (!session.userId) return { error: 'Niet ingelogd' }
if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
const token = await prisma.apiToken.findFirst({
where: { id, user_id: session.userId },
})
if (!token) return { error: 'Token niet gevonden' }
await prisma.apiToken.update({
where: { id },
data: { revoked_at: new Date() },
})
revalidatePath('/settings/tokens')
return { success: true }
}
Reference in a new issue View git blame Copy permalink