Merge pull request #42 from devallibus/development

devallibus · web-flow · commit 39158c9fd73c · 2026-03-08T22:58:57.000+01:00
feat: spam protection and input validation for reviews
diff --git a/apps/web/src/components/ReviewsSection.tsx b/apps/web/src/components/ReviewsSection.tsx
@@ -42,11 +42,14 @@ export default function ReviewsSection(props: ReviewsSectionProps) {
   const [newComment, setNewComment] = createSignal('')
   const [submitting, setSubmitting] = createSignal(false)
   const [submitMessage, setSubmitMessage] = createSignal('')
+  const [submitError, setSubmitError] = createSignal(false)
+  const [cooldown, setCooldown] = createSignal(false)
 
   const handleSubmit = async () => {
-    if (newRating() === 0) return
+    if (newRating() === 0 || submitting() || cooldown()) return
     setSubmitting(true)
     setSubmitMessage('')
+    setSubmitError(false)
 
     try {
       await submit({
@@ -61,10 +64,15 @@ export default function ReviewsSection(props: ReviewsSectionProps) {
       setNewRating(0)
       setNewComment('')
 
+      // Cooldown to prevent rapid re-submission
+      setCooldown(true)
+      setTimeout(() => setCooldown(false), 5000)
+
       const updated = await fetchReviews({ data: { shaderName: props.shaderName } })
       setReviews(updated.reviews)
       setStats(updated.stats)
     } catch (e) {
+      setSubmitError(true)
       setSubmitMessage(e instanceof Error ? e.message : 'Failed to submit')
     } finally {
       setSubmitting(false)
@@ -122,13 +130,15 @@ export default function ReviewsSection(props: ReviewsSectionProps) {
           <button
             type="button"
             class="rounded-full bg-accent px-4 py-1.5 text-xs font-semibold text-surface-primary transition hover:bg-accent/80 disabled:opacity-50"
-            disabled={newRating() === 0 || submitting()}
+            disabled={newRating() === 0 || submitting() || cooldown()}
             onClick={() => void handleSubmit()}
           >
-            {submitting() ? 'Submitting...' : 'Submit'}
+            {submitting() ? 'Submitting...' : cooldown() ? 'Submitted' : 'Submit'}
           </button>
           <Show when={submitMessage()}>
-            <span class="text-xs text-text-muted">{submitMessage()}</span>
+            <span class={`text-xs ${submitError() ? 'text-red-400' : 'text-text-muted'}`}>
+              {submitMessage()}
+            </span>
           </Show>
         </div>
       </div>
diff --git a/apps/web/src/lib/server/reviews-db.test.node.ts b/apps/web/src/lib/server/reviews-db.test.node.ts
@@ -1,10 +1,17 @@
 import assert from 'node:assert/strict'
-import {
+import { mkdtempSync } from 'node:fs'
+import { join } from 'node:path'
+import { tmpdir } from 'node:os'
+
+// Isolate test DB in a temp directory so runs are idempotent
+process.env.DATA_DIR = mkdtempSync(join(tmpdir(), 'reviews-test-'))
+
+const {
   addReview,
   getReviewsForShader,
   getAverageRating,
   getAllShaderRatings,
-} from './reviews-db.ts'
+} = await import('./reviews-db.ts')
 
 function runTest(name: string, callback: () => void | Promise<void>) {
   const result = callback()
@@ -105,4 +112,72 @@ runTest('addReview handles optional parameters', () => {
   assert.equal(reviews[0]!.userID, 'user-456')
 })
 
+runTest('rejects invalid rating (too high)', () => {
+  assert.throws(() => addReview(`${testShader}-bad1`, 6), /Rating must be an integer/)
+})
+
+runTest('rejects invalid rating (zero)', () => {
+  assert.throws(() => addReview(`${testShader}-bad2`, 0), /Rating must be an integer/)
+})
+
+runTest('rejects invalid rating (float)', () => {
+  assert.throws(() => addReview(`${testShader}-bad3`, 3.5), /Rating must be an integer/)
+})
+
+runTest('sanitizes unknown source to web', () => {
+  const shader = `${testShader}-badsource`
+  addReview(shader, 3, null, 'evil-source')
+  const { reviews } = getReviewsForShader(shader)
+  assert.equal(reviews[0]!.source, 'web')
+})
+
+runTest('truncates long comments', () => {
+  const shader = `${testShader}-longcomment`
+  const longComment = 'x'.repeat(5000)
+  addReview(shader, 4, longComment)
+  const { reviews } = getReviewsForShader(shader)
+  assert.equal(reviews[0]!.comment!.length, 2000)
+})
+
+runTest('duplicate review from same reviewer token is rejected', () => {
+  const shader = `${testShader}-dupe`
+  addReview(shader, 4, null, 'web', null, null, '192.168.1.100', 'reviewer-a')
+  assert.throws(
+    () => addReview(shader, 5, null, 'web', null, null, '198.51.100.2', 'reviewer-a'),
+    /already reviewed this shader/,
+  )
+})
+
+runTest('allows same shader from different reviewer tokens on same IP', () => {
+  const shader = `${testShader}-shared-ip`
+  const ip = '10.0.0.1'
+  addReview(shader, 4, null, 'web', null, null, ip, 'reviewer-a')
+  addReview(shader, 5, null, 'web', null, null, ip, 'reviewer-b')
+})
+
+runTest('allows different shaders from same IP', () => {
+  const ip = '10.0.0.1'
+  addReview(`${testShader}-diff1`, 4, null, 'web', null, null, ip)
+  addReview(`${testShader}-diff2`, 4, null, 'web', null, null, ip)
+  // Should not throw — different shaders
+})
+
+runTest('reviews without IP bypass rate limiting', () => {
+  const shader = `${testShader}-noip`
+  addReview(shader, 4, null, 'web', null, null, null)
+  addReview(shader, 5, null, 'web', null, null, null)
+  // Should not throw — no IP to track
+})
+
+runTest('rate limit rejects 6th review from same IP within window', () => {
+  const ip = '172.16.0.1'
+  for (let i = 1; i <= 5; i++) {
+    addReview(`${testShader}-rl-${i}`, 3, null, 'web', null, null, ip, `reviewer-${i}`)
+  }
+  assert.throws(
+    () => addReview(`${testShader}-rl-6`, 3, null, 'web', null, null, ip, 'reviewer-6'),
+    /Too many reviews submitted/,
+  )
+})
+
 console.log('reviews-db tests passed')
diff --git a/apps/web/src/lib/server/reviews-db.ts b/apps/web/src/lib/server/reviews-db.ts
@@ -17,11 +17,36 @@ db.exec(`
     source TEXT NOT NULL DEFAULT 'web',
     agent_context TEXT,
     user_id TEXT,
+    client_ip TEXT,
+    reviewer_token_hash TEXT,
     created_at TEXT NOT NULL DEFAULT (datetime('now'))
   );
   CREATE INDEX IF NOT EXISTS idx_reviews_shader ON reviews(shader_name);
 `)
 
+// Migration: add client_ip column to tables created before this column existed
+try {
+  db.exec(`ALTER TABLE reviews ADD COLUMN client_ip TEXT`)
+} catch {
+  // Column already exists
+}
+
+try {
+  db.exec(`ALTER TABLE reviews ADD COLUMN reviewer_token_hash TEXT`)
+} catch {
+  // Column already exists
+}
+
+db.exec(`CREATE INDEX IF NOT EXISTS idx_reviews_ip_time ON reviews(client_ip, created_at)`)
+db.exec(
+  `CREATE INDEX IF NOT EXISTS idx_reviews_reviewer_shader_time
+   ON reviews(reviewer_token_hash, shader_name, created_at)`,
+)
+
+const MAX_COMMENT_LENGTH = 2000
+const RATE_LIMIT_WINDOW_MINUTES = 10
+const RATE_LIMIT_MAX_REVIEWS = 5
+
 export type Review = {
   id: number
   shaderName: string
@@ -45,18 +70,72 @@ export function addReview(
   source = 'web',
   agentContext?: string | null,
   userId?: string | null,
+  clientIp?: string | null,
+  reviewerTokenHash?: string | null,
 ): number {
+  // Validate rating is an integer 1-5
+  if (!Number.isInteger(rating) || rating < 1 || rating > 5) {
+    throw new Error('Rating must be an integer between 1 and 5')
+  }
+
+  // Validate and truncate comment
+  const sanitizedComment = comment ? comment.slice(0, MAX_COMMENT_LENGTH).trim() || null : null
+
+  // Validate source
+  const allowedSources = ['web', 'mcp', 'cli']
+  const sanitizedSource = allowedSources.includes(source) ? source : 'web'
+
+  // Rate limit: max N reviews per IP within the window
+  if (clientIp) {
+    const recentCount = db
+      .prepare(
+        `SELECT COUNT(*) AS count FROM reviews
+         WHERE client_ip = ? AND created_at > datetime('now', ?)`,
+      )
+      .get(clientIp, `-${RATE_LIMIT_WINDOW_MINUTES} minutes`) as { count: number }
+
+    if (recentCount.count >= RATE_LIMIT_MAX_REVIEWS) {
+      throw new Error('Too many reviews submitted. Please try again later.')
+    }
+
+  }
+
+  if (reviewerTokenHash) {
+    const duplicate = db
+      .prepare(
+        `SELECT id FROM reviews
+         WHERE reviewer_token_hash = ?
+           AND shader_name = ?
+           AND created_at > datetime('now', '-24 hours')`,
+      )
+      .get(reviewerTokenHash, shaderName) as { id: number } | undefined
+
+    if (duplicate) {
+      throw new Error('You already reviewed this shader recently')
+    }
+  }
+
   const stmt = db.prepare(
-    `INSERT INTO reviews (shader_name, rating, comment, source, agent_context, user_id)
-     VALUES (?, ?, ?, ?, ?, ?)`,
+    `INSERT INTO reviews (
+       shader_name,
+       rating,
+       comment,
+       source,
+       agent_context,
+       user_id,
+       client_ip,
+       reviewer_token_hash
+     ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
   )
   const result = stmt.run(
     shaderName,
     rating,
-    comment ?? null,
-    source,
+    sanitizedComment,
+    sanitizedSource,
     agentContext ?? null,
     userId ?? null,
+    clientIp ?? null,
+    reviewerTokenHash ?? null,
   )
   return Number(result.lastInsertRowid)
 }
diff --git a/apps/web/src/routes/api/-reviews.ts b/apps/web/src/routes/api/-reviews.ts
@@ -1,4 +1,6 @@
+import { randomBytes, createHash } from 'node:crypto'
 import { createServerFn } from '@tanstack/solid-start'
+import { getCookie, getRequestIP, getRequestProtocol, setCookie } from '@tanstack/solid-start/server'
 
 type SubmitReviewInput = {
   shaderName: string
@@ -13,24 +15,58 @@ type GetReviewsInput = {
   shaderName: string
 }
 
+const REVIEWER_COOKIE_NAME = 'shaderbase-reviewer'
+const REVIEWER_COOKIE_MAX_AGE_SECONDS = 60 * 60 * 24 * 365
+
+function getClientIp(): string | null {
+  return getRequestIP({ xForwardedFor: true }) ?? null
+}
+
+function hashReviewerToken(token: string): string {
+  return createHash('sha256').update(token).digest('hex')
+}
+
+function getOrCreateReviewerTokenHash(): string | null {
+  let reviewerToken = getCookie(REVIEWER_COOKIE_NAME)
+
+  if (!reviewerToken) {
+    reviewerToken = randomBytes(32).toString('hex')
+    setCookie(REVIEWER_COOKIE_NAME, reviewerToken, {
+      httpOnly: true,
+      maxAge: REVIEWER_COOKIE_MAX_AGE_SECONDS,
+      path: '/',
+      sameSite: 'lax',
+      secure: getRequestProtocol({ xForwardedProto: true }) === 'https',
+    })
+  }
+
+  return reviewerToken ? hashReviewerToken(reviewerToken) : null
+}
+
 export const submitReview = createServerFn({ method: 'POST' })
   .inputValidator((input: SubmitReviewInput) => input)
   .handler(async ({ data }) => {
     const { addReview } = await import('../../lib/server/reviews-db')
     const { listShadersFromSource } = await import('../../lib/server/shader-source')
 
+    // Validate shader exists
     const shaders = await listShadersFromSource()
     if (!shaders.some((s) => s.name === data.shaderName)) {
       throw new Error(`Shader "${data.shaderName}" not found`)
     }
 
+    const clientIp = getClientIp()
+    const reviewerTokenHash = getOrCreateReviewerTokenHash()
+
     const reviewId = addReview(
       data.shaderName,
       data.rating,
       data.comment ?? null,
       data.source ?? 'web',
       data.agentContext ? JSON.stringify(data.agentContext) : null,
       data.userId ?? null,
+      clientIp,
+      reviewerTokenHash,
     )
 
     return { ok: true as const, reviewId }
