fix(audit): rate-limit/DoS — M13 (bulk limiter on 6 routes), M14 (api limiter default in withAuth, fail-open), M15 (export-pdf payload bounds); L21 verified not-a-bug
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -2,7 +2,7 @@ import { NextResponse } from 'next/server';
|
||||
import { z } from 'zod';
|
||||
import { eq, and } from 'drizzle-orm';
|
||||
|
||||
import { withAuth } from '@/lib/api/helpers';
|
||||
import { withAuth, withRateLimit } from '@/lib/api/helpers';
|
||||
import { parseBody } from '@/lib/api/route-helpers';
|
||||
import { runBulk } from '@/lib/api/bulk-helpers';
|
||||
import { db } from '@/lib/db';
|
||||
@@ -33,44 +33,46 @@ const PERMISSION_BY_ACTION = {
|
||||
remove_tag: 'edit' as const,
|
||||
};
|
||||
|
||||
export const POST = withAuth(async (req, ctx) => {
|
||||
let body: z.infer<typeof bulkSchema>;
|
||||
try {
|
||||
body = await parseBody(req, bulkSchema);
|
||||
} catch (error) {
|
||||
return errorResponse(error);
|
||||
}
|
||||
|
||||
const allowed = ctx.isSuperAdmin
|
||||
? true
|
||||
: !!ctx.permissions?.yachts?.[PERMISSION_BY_ACTION[body.action]];
|
||||
if (!allowed) return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
|
||||
|
||||
const meta = {
|
||||
userId: ctx.userId,
|
||||
portId: ctx.portId,
|
||||
ipAddress: ctx.ipAddress,
|
||||
userAgent: ctx.userAgent,
|
||||
};
|
||||
|
||||
const { results, summary } = await runBulk(body.ids, async (id) => {
|
||||
if (body.action === 'archive') {
|
||||
await archiveYacht(id, ctx.portId, meta);
|
||||
return;
|
||||
export const POST = withAuth(
|
||||
withRateLimit('bulk', async (req, ctx) => {
|
||||
let body: z.infer<typeof bulkSchema>;
|
||||
try {
|
||||
body = await parseBody(req, bulkSchema);
|
||||
} catch (error) {
|
||||
return errorResponse(error);
|
||||
}
|
||||
const yacht = await db.query.yachts.findFirst({
|
||||
where: and(eq(yachts.id, id), eq(yachts.portId, ctx.portId)),
|
||||
});
|
||||
if (!yacht) throw new Error('Yacht not found');
|
||||
const existing = await db
|
||||
.select({ tagId: yachtTags.tagId })
|
||||
.from(yachtTags)
|
||||
.where(eq(yachtTags.yachtId, id));
|
||||
const current = new Set(existing.map((t) => t.tagId));
|
||||
if (body.action === 'add_tag') current.add(body.tagId);
|
||||
else current.delete(body.tagId);
|
||||
await setYachtTags(id, ctx.portId, Array.from(current), meta);
|
||||
});
|
||||
|
||||
return NextResponse.json({ data: { results, summary } });
|
||||
});
|
||||
const allowed = ctx.isSuperAdmin
|
||||
? true
|
||||
: !!ctx.permissions?.yachts?.[PERMISSION_BY_ACTION[body.action]];
|
||||
if (!allowed) return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
|
||||
|
||||
const meta = {
|
||||
userId: ctx.userId,
|
||||
portId: ctx.portId,
|
||||
ipAddress: ctx.ipAddress,
|
||||
userAgent: ctx.userAgent,
|
||||
};
|
||||
|
||||
const { results, summary } = await runBulk(body.ids, async (id) => {
|
||||
if (body.action === 'archive') {
|
||||
await archiveYacht(id, ctx.portId, meta);
|
||||
return;
|
||||
}
|
||||
const yacht = await db.query.yachts.findFirst({
|
||||
where: and(eq(yachts.id, id), eq(yachts.portId, ctx.portId)),
|
||||
});
|
||||
if (!yacht) throw new Error('Yacht not found');
|
||||
const existing = await db
|
||||
.select({ tagId: yachtTags.tagId })
|
||||
.from(yachtTags)
|
||||
.where(eq(yachtTags.yachtId, id));
|
||||
const current = new Set(existing.map((t) => t.tagId));
|
||||
if (body.action === 'add_tag') current.add(body.tagId);
|
||||
else current.delete(body.tagId);
|
||||
await setYachtTags(id, ctx.portId, Array.from(current), meta);
|
||||
});
|
||||
|
||||
return NextResponse.json({ data: { results, summary } });
|
||||
}),
|
||||
);
|
||||
|
||||
Reference in New Issue
Block a user