Madhura68
a0a10001d5
lib/rate-limit.ts: 11 nieuwe scope-configs + enforceUserRateLimit(scope, userId)
helper. Returnt { error, code: 429 } shape voor consistent foutbeleid.
Toegepast op de high-value mutation-paths:
- actions/pbis.ts createPbiAction
- actions/stories.ts createStoryAction
- actions/tasks.ts saveTask (alleen create-path) + createTaskAction
- actions/todos.ts createTodoAction
- actions/sprints.ts createSprintAction
- actions/products.ts createProductAction + createProductFormAction
- actions/api-tokens.ts createApiTokenAction
- actions/questions.ts answerQuestion
- actions/claude-jobs.ts enqueueClaudeJobAction + enqueueClaudeJobsBatchAction
- app/api/profile/avatar/route.ts POST
- app/api/stories/[id]/log/route.ts POST
Limits zijn ruim genoeg voor normaal gebruik, eng genoeg voor abuse-loops:
create-task 100/min, create-todo 60/min, create-pbi 30/min, create-product
5/min, create-token 10/uur, etc. Per-user scope (geen globale block).
Niet aangeraakt: reorder/status-toggle (intra-session frequent, lage abuse),
update/delete (laag-volume), cron-routes (CRON_SECRET-gated).
Consumer-tweaks: 'success' in result narrowing waar TS de bredere union niet
meer accepteerde. Tests: 9 nieuwe op rate-limit-helper.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
397 lines
14 KiB
TypeScript
397 lines
14 KiB
TypeScript
'use server'
|
|
|
|
import { revalidatePath } from 'next/cache'
|
|
import { redirect } from 'next/navigation'
|
|
import { cookies } from 'next/headers'
|
|
import { getIronSession } from 'iron-session'
|
|
import { z } from 'zod'
|
|
import { prisma } from '@/lib/prisma'
|
|
import { SessionData, sessionOptions } from '@/lib/session'
|
|
import { Role } from '@prisma/client'
|
|
import { isValidCode, MAX_CODE_LENGTH, normalizeCode } from '@/lib/code'
|
|
import { productAccessFilter } from '@/lib/product-access'
|
|
import { productSchema as productInput, type ProductInput } from '@/lib/schemas/product'
|
|
import { enforceUserRateLimit } from '@/lib/rate-limit'
|
|
|
|
// Legacy FormData schema for ProductForm components (other constraints than dialog)
|
|
const productFormDataSchema = z.object({
|
|
name: z.string().min(1, 'Naam is verplicht').max(100, 'Naam mag maximaal 100 tekens bevatten'),
|
|
code: z
|
|
.string()
|
|
.max(MAX_CODE_LENGTH, `Code mag maximaal ${MAX_CODE_LENGTH} tekens bevatten`)
|
|
.optional(),
|
|
description: z.string().max(1000, 'Beschrijving mag maximaal 1000 tekens bevatten').optional(),
|
|
repo_url: z
|
|
.string()
|
|
.url('Voer een geldige URL in (inclusief https://)')
|
|
.optional()
|
|
.or(z.literal('')),
|
|
definition_of_done: z
|
|
.string()
|
|
.min(1, 'Definition of Done is verplicht')
|
|
.max(500, 'Definition of Done mag maximaal 500 tekens bevatten'),
|
|
})
|
|
|
|
type ProductFieldErrors = Partial<Record<keyof ProductInput, string[]>>
|
|
type ProductActionResult =
|
|
| { success: true; productId: string }
|
|
| { error: string; code?: number; fieldErrors?: ProductFieldErrors }
|
|
type UpdateProductResult =
|
|
| { success: true }
|
|
| { error: string; code?: number; fieldErrors?: ProductFieldErrors }
|
|
|
|
async function getSession() {
|
|
return getIronSession<SessionData>(await cookies(), sessionOptions)
|
|
}
|
|
|
|
// Data-object API used by ProductDialog
|
|
export async function createProductAction(data: ProductInput): Promise<ProductActionResult> {
|
|
const session = await getSession()
|
|
if (!session.userId) return { error: 'Niet ingelogd', code: 403 }
|
|
if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus', code: 403 }
|
|
|
|
const limited = enforceUserRateLimit('create-product', session.userId)
|
|
if (limited) return limited
|
|
|
|
const parsed = productInput.safeParse(data)
|
|
if (!parsed.success) {
|
|
return {
|
|
error: 'Validatie mislukt',
|
|
code: 422,
|
|
fieldErrors: parsed.error.flatten().fieldErrors as ProductFieldErrors,
|
|
}
|
|
}
|
|
|
|
const code = normalizeCode(parsed.data.code)
|
|
if (code !== null && !isValidCode(code)) {
|
|
return {
|
|
error: 'Validatie mislukt',
|
|
code: 422,
|
|
fieldErrors: { code: ['Alleen letters, cijfers, punten, koppeltekens of underscores'] },
|
|
}
|
|
}
|
|
|
|
if (code) {
|
|
const dup = await prisma.product.findFirst({ where: { user_id: session.userId, code } })
|
|
if (dup) return { error: 'Validatie mislukt', code: 422, fieldErrors: { code: ['Code is al in gebruik'] } }
|
|
}
|
|
|
|
const userId = session.userId
|
|
const product = await prisma.$transaction(async (tx) => {
|
|
const p = await tx.product.create({
|
|
data: {
|
|
user_id: userId,
|
|
name: parsed.data.name,
|
|
code: code ?? null,
|
|
description: parsed.data.description ?? null,
|
|
repo_url: parsed.data.repo_url ?? null,
|
|
definition_of_done: parsed.data.definition_of_done ?? '',
|
|
auto_pr: parsed.data.auto_pr,
|
|
},
|
|
})
|
|
await tx.productMember.create({ data: { product_id: p.id, user_id: userId } })
|
|
return p
|
|
})
|
|
|
|
revalidatePath('/products')
|
|
revalidatePath('/dashboard')
|
|
return { success: true, productId: product.id }
|
|
}
|
|
|
|
// Data-object API used by ProductDialog
|
|
export async function updateProductAction(id: string, data: ProductInput): Promise<UpdateProductResult> {
|
|
const session = await getSession()
|
|
if (!session.userId) return { error: 'Niet ingelogd', code: 403 }
|
|
if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus', code: 403 }
|
|
|
|
const parsed = productInput.safeParse(data)
|
|
if (!parsed.success) {
|
|
return {
|
|
error: 'Validatie mislukt',
|
|
code: 422,
|
|
fieldErrors: parsed.error.flatten().fieldErrors as ProductFieldErrors,
|
|
}
|
|
}
|
|
|
|
const product = await prisma.product.findFirst({
|
|
where: { id, ...productAccessFilter(session.userId) },
|
|
select: { id: true },
|
|
})
|
|
if (!product) return { error: 'Product niet gevonden of geen toegang', code: 403 }
|
|
|
|
const code = normalizeCode(parsed.data.code)
|
|
if (code !== null && !isValidCode(code)) {
|
|
return {
|
|
error: 'Validatie mislukt',
|
|
code: 422,
|
|
fieldErrors: { code: ['Alleen letters, cijfers, punten, koppeltekens of underscores'] },
|
|
}
|
|
}
|
|
|
|
const userId = session.userId
|
|
|
|
await prisma.product.update({
|
|
where: { id },
|
|
data: {
|
|
name: parsed.data.name,
|
|
code: code ?? null,
|
|
description: parsed.data.description ?? null,
|
|
repo_url: parsed.data.repo_url ?? null,
|
|
...(parsed.data.definition_of_done !== undefined && {
|
|
definition_of_done: parsed.data.definition_of_done,
|
|
}),
|
|
auto_pr: parsed.data.auto_pr,
|
|
},
|
|
})
|
|
|
|
await prisma.$executeRaw`
|
|
SELECT pg_notify('scrum4me_changes', ${JSON.stringify({
|
|
type: 'product_updated',
|
|
product_id: id,
|
|
user_id: userId,
|
|
})}::text)
|
|
`
|
|
|
|
revalidatePath(`/products/${id}`)
|
|
revalidatePath('/dashboard')
|
|
return { success: true }
|
|
}
|
|
|
|
// FormData-based actions for existing ProductForm components
|
|
export async function createProductFormAction(_prevState: unknown, formData: FormData) {
|
|
const session = await getSession()
|
|
if (!session.userId) return { error: 'Niet ingelogd' }
|
|
if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
|
|
|
|
const limited = enforceUserRateLimit('create-product', session.userId)
|
|
if (limited) return limited
|
|
|
|
const parsed = productFormDataSchema.safeParse({
|
|
name: formData.get('name'),
|
|
code: (formData.get('code') as string) || undefined,
|
|
description: formData.get('description') || undefined,
|
|
repo_url: formData.get('repo_url') || undefined,
|
|
definition_of_done: formData.get('definition_of_done'),
|
|
})
|
|
|
|
if (!parsed.success) {
|
|
return { error: parsed.error.flatten().fieldErrors }
|
|
}
|
|
|
|
const code = normalizeCode(parsed.data.code)
|
|
if (code !== null && !isValidCode(code)) {
|
|
return { error: { code: ['Code mag alleen letters, cijfers, punten, koppeltekens of underscores bevatten'] } }
|
|
}
|
|
|
|
const existing = await prisma.product.findFirst({
|
|
where: { user_id: session.userId, name: parsed.data.name },
|
|
})
|
|
if (existing) return { error: { name: ['Een product met deze naam bestaat al'] } }
|
|
|
|
if (code) {
|
|
const dup = await prisma.product.findFirst({ where: { user_id: session.userId, code } })
|
|
if (dup) return { error: { code: ['Deze code is al in gebruik'] } }
|
|
}
|
|
|
|
const product = await prisma.product.create({
|
|
data: {
|
|
user_id: session.userId,
|
|
name: parsed.data.name,
|
|
code,
|
|
description: parsed.data.description ?? null,
|
|
repo_url: parsed.data.repo_url || null,
|
|
definition_of_done: parsed.data.definition_of_done,
|
|
},
|
|
})
|
|
|
|
redirect(`/products/${product.id}`)
|
|
}
|
|
|
|
export async function updateProductFormAction(_prevState: unknown, formData: FormData) {
|
|
const session = await getSession()
|
|
if (!session.userId) return { error: 'Niet ingelogd' }
|
|
if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
|
|
|
|
const id = formData.get('id') as string
|
|
if (!id) return { error: 'Product niet gevonden' }
|
|
|
|
const parsed = productFormDataSchema.safeParse({
|
|
name: formData.get('name'),
|
|
code: (formData.get('code') as string) || undefined,
|
|
description: formData.get('description') || undefined,
|
|
repo_url: formData.get('repo_url') || undefined,
|
|
definition_of_done: formData.get('definition_of_done'),
|
|
})
|
|
|
|
if (!parsed.success) {
|
|
return { error: parsed.error.flatten().fieldErrors }
|
|
}
|
|
|
|
const code = normalizeCode(parsed.data.code)
|
|
if (code !== null && !isValidCode(code)) {
|
|
return { error: { code: ['Code mag alleen letters, cijfers, punten, koppeltekens of underscores bevatten'] } }
|
|
}
|
|
|
|
// Verify ownership
|
|
const product = await prisma.product.findFirst({
|
|
where: { id, user_id: session.userId },
|
|
})
|
|
if (!product) return { error: 'Product niet gevonden' }
|
|
|
|
// Check unique name (excluding self)
|
|
const duplicate = await prisma.product.findFirst({
|
|
where: { user_id: session.userId, name: parsed.data.name, NOT: { id } },
|
|
})
|
|
if (duplicate) return { error: { name: ['Een product met deze naam bestaat al'] } }
|
|
|
|
if (code) {
|
|
const dupCode = await prisma.product.findFirst({
|
|
where: { user_id: session.userId, code, NOT: { id } },
|
|
})
|
|
if (dupCode) return { error: { code: ['Deze code is al in gebruik'] } }
|
|
}
|
|
|
|
await prisma.product.update({
|
|
where: { id },
|
|
data: {
|
|
name: parsed.data.name,
|
|
code,
|
|
description: parsed.data.description ?? null,
|
|
repo_url: parsed.data.repo_url || null,
|
|
definition_of_done: parsed.data.definition_of_done,
|
|
},
|
|
})
|
|
|
|
revalidatePath(`/products/${id}`)
|
|
revalidatePath('/dashboard')
|
|
return { success: true }
|
|
}
|
|
|
|
export async function archiveProductAction(id: string) {
|
|
const session = await getSession()
|
|
if (!session.userId) return { error: 'Niet ingelogd' }
|
|
if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
|
|
|
|
const product = await prisma.product.findFirst({
|
|
where: { id, user_id: session.userId },
|
|
})
|
|
if (!product) return { error: 'Product niet gevonden' }
|
|
|
|
await prisma.$transaction([
|
|
// Clear active_product_id for all users who had this product active
|
|
prisma.user.updateMany({
|
|
where: { active_product_id: id },
|
|
data: { active_product_id: null },
|
|
}),
|
|
prisma.product.update({ where: { id }, data: { archived: true } }),
|
|
])
|
|
|
|
revalidatePath('/', 'layout')
|
|
redirect('/dashboard')
|
|
}
|
|
|
|
export async function restoreProductAction(id: string) {
|
|
const session = await getSession()
|
|
if (!session.userId) return { error: 'Niet ingelogd' }
|
|
if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
|
|
|
|
const product = await prisma.product.findFirst({
|
|
where: { id, user_id: session.userId },
|
|
})
|
|
if (!product) return { error: 'Product niet gevonden' }
|
|
|
|
await prisma.product.update({ where: { id }, data: { archived: false } })
|
|
|
|
revalidatePath('/dashboard')
|
|
return { success: true }
|
|
}
|
|
|
|
export async function addProductMemberAction(_prevState: unknown, formData: FormData) {
|
|
const session = await getSession()
|
|
if (!session.userId) return { error: 'Niet ingelogd' }
|
|
if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
|
|
|
|
const productId = formData.get('productId') as string
|
|
const username = (formData.get('username') as string)?.trim().toLowerCase()
|
|
|
|
if (!username) return { error: 'Gebruikersnaam is verplicht' }
|
|
|
|
const product = await prisma.product.findFirst({ where: { id: productId, user_id: session.userId } })
|
|
if (!product) return { error: 'Product niet gevonden of geen eigenaar' }
|
|
|
|
const targetUser = await prisma.user.findUnique({
|
|
where: { username },
|
|
include: { roles: true },
|
|
})
|
|
if (!targetUser) return { error: 'Gebruiker niet gevonden' }
|
|
if (targetUser.is_demo) return { error: 'Demo-gebruiker kan niet worden toegevoegd' }
|
|
if (targetUser.id === session.userId) return { error: 'Je bent al eigenaar van dit product' }
|
|
|
|
const hasDeveloperRole = targetUser.roles.some(r => r.role === Role.DEVELOPER)
|
|
if (!hasDeveloperRole) return { error: `Gebruiker "${username}" heeft geen Developer-rol` }
|
|
|
|
const existing = await prisma.productMember.findUnique({
|
|
where: { product_id_user_id: { product_id: productId, user_id: targetUser.id } },
|
|
})
|
|
if (existing) return { error: 'Gebruiker is al lid van dit product' }
|
|
|
|
await prisma.productMember.create({
|
|
data: { product_id: productId, user_id: targetUser.id },
|
|
})
|
|
|
|
revalidatePath(`/products/${productId}/settings`)
|
|
return { success: true }
|
|
}
|
|
|
|
export async function removeProductMemberAction(productId: string, memberId: string) {
|
|
const session = await getSession()
|
|
if (!session.userId) return { error: 'Niet ingelogd' }
|
|
if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
|
|
|
|
const product = await prisma.product.findFirst({ where: { id: productId, user_id: session.userId } })
|
|
if (!product) return { error: 'Product niet gevonden of geen eigenaar' }
|
|
|
|
await prisma.$transaction([
|
|
prisma.user.updateMany({
|
|
where: { id: memberId, active_product_id: productId },
|
|
data: { active_product_id: null },
|
|
}),
|
|
prisma.productMember.deleteMany({ where: { product_id: productId, user_id: memberId } }),
|
|
])
|
|
|
|
revalidatePath(`/products/${productId}/settings`)
|
|
return { success: true }
|
|
}
|
|
|
|
export async function leaveProductAction(productId: string) {
|
|
const session = await getSession()
|
|
if (!session.userId) return { error: 'Niet ingelogd' }
|
|
|
|
await prisma.$transaction([
|
|
prisma.user.updateMany({
|
|
where: { id: session.userId, active_product_id: productId },
|
|
data: { active_product_id: null },
|
|
}),
|
|
prisma.productMember.deleteMany({ where: { product_id: productId, user_id: session.userId } }),
|
|
])
|
|
|
|
revalidatePath('/', 'layout')
|
|
revalidatePath('/settings')
|
|
return { success: true }
|
|
}
|
|
|
|
export async function updateAutoPrAction(id: string, auto_pr: boolean) {
|
|
const session = await getSession()
|
|
if (!session.userId) return { error: 'Niet ingelogd' }
|
|
if (session.isDemo) return { error: 'Niet beschikbaar in demo-modus' }
|
|
|
|
const parsed = z.object({ auto_pr: z.boolean() }).safeParse({ auto_pr })
|
|
if (!parsed.success) return { error: 'Ongeldige waarde voor auto_pr' }
|
|
|
|
const product = await prisma.product.findFirst({ where: { id, user_id: session.userId } })
|
|
if (!product) return { error: 'Product niet gevonden' }
|
|
|
|
await prisma.product.update({ where: { id }, data: { auto_pr: parsed.data.auto_pr } })
|
|
revalidatePath(`/products/${id}/settings`)
|
|
return { success: true }
|
|
}
|