refactor: use reviewer token cookie for duplicate prevention

Replace IP-based duplicate detection with an HttpOnly cookie token.
The server mints a random token on first review, hashes it with SHA-256,
and stores the hash. Duplicate check is now reviewer_token_hash + shader
within 24 hours — different users on the same IP are no longer blocked.

IP is retained only for burst rate limiting (5 reviews / 10 min).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: devallibus

apps/web/src/lib/server/reviews-db.test.node.ts

@@ -139,16 +139,22 @@ runTest('truncates long comments', () => {
   assert.equal(reviews[0]!.comment!.length, 2000)
 })
 
-runTest('duplicate review from same IP is rejected', () => {
+runTest('duplicate review from same reviewer token is rejected', () => {
   const shader = `${testShader}-dupe`
-  const ip = '192.168.1.100'
-  addReview(shader, 4, null, 'web', null, null, ip)
+  addReview(shader, 4, null, 'web', null, null, '192.168.1.100', 'reviewer-a')
   assert.throws(
-    () => addReview(shader, 5, null, 'web', null, null, ip),
+    () => addReview(shader, 5, null, 'web', null, null, '198.51.100.2', 'reviewer-a'),
     /already reviewed this shader/,
   )
 })
 
+runTest('allows same shader from different reviewer tokens on same IP', () => {
+  const shader = `${testShader}-shared-ip`
+  const ip = '10.0.0.1'
+  addReview(shader, 4, null, 'web', null, null, ip, 'reviewer-a')
+  addReview(shader, 5, null, 'web', null, null, ip, 'reviewer-b')
+})
+
 runTest('allows different shaders from same IP', () => {
   const ip = '10.0.0.1'
   addReview(`${testShader}-diff1`, 4, null, 'web', null, null, ip)
@@ -166,10 +172,10 @@ runTest('reviews without IP bypass rate limiting', () => {
 runTest('rate limit rejects 6th review from same IP within window', () => {
   const ip = '172.16.0.1'
   for (let i = 1; i <= 5; i++) {
-    addReview(`${testShader}-rl-${i}`, 3, null, 'web', null, null, ip)
+    addReview(`${testShader}-rl-${i}`, 3, null, 'web', null, null, ip, `reviewer-${i}`)
   }
   assert.throws(
-    () => addReview(`${testShader}-rl-6`, 3, null, 'web', null, null, ip),
+    () => addReview(`${testShader}-rl-6`, 3, null, 'web', null, null, ip, 'reviewer-6'),
     /Too many reviews submitted/,
   )
 })

apps/web/src/lib/server/reviews-db.ts

@@ -18,6 +18,7 @@ db.exec(`
     agent_context TEXT,
     user_id TEXT,
     client_ip TEXT,
+    reviewer_token_hash TEXT,
     created_at TEXT NOT NULL DEFAULT (datetime('now'))
   );
   CREATE INDEX IF NOT EXISTS idx_reviews_shader ON reviews(shader_name);
@@ -30,7 +31,17 @@ try {
   // Column already exists
 }
 
+try {
+  db.exec(`ALTER TABLE reviews ADD COLUMN reviewer_token_hash TEXT`)
+} catch {
+  // Column already exists
+}
+
 db.exec(`CREATE INDEX IF NOT EXISTS idx_reviews_ip_time ON reviews(client_ip, created_at)`)
+db.exec(
+  `CREATE INDEX IF NOT EXISTS idx_reviews_reviewer_shader_time
+   ON reviews(reviewer_token_hash, shader_name, created_at)`,
+)
 
 const MAX_COMMENT_LENGTH = 2000
 const RATE_LIMIT_WINDOW_MINUTES = 10
@@ -60,6 +71,7 @@ export function addReview(
   agentContext?: string | null,
   userId?: string | null,
   clientIp?: string | null,
+  reviewerTokenHash?: string | null,
 ): number {
   // Validate rating is an integer 1-5
   if (!Number.isInteger(rating) || rating < 1 || rating > 5) {
@@ -86,23 +98,34 @@ export function addReview(
       throw new Error('Too many reviews submitted. Please try again later.')
     }
 
-    // Duplicate prevention: one review per IP per shader per 24 hours
-    // Uses a time window instead of permanent to avoid blocking users on shared IPs (NAT, offices, mobile carriers)
+  }
+
+  if (reviewerTokenHash) {
     const duplicate = db
       .prepare(
         `SELECT id FROM reviews
-         WHERE client_ip = ? AND shader_name = ? AND created_at > datetime('now', '-24 hours')`,
+         WHERE reviewer_token_hash = ?
+           AND shader_name = ?
+           AND created_at > datetime('now', '-24 hours')`,
       )
-      .get(clientIp, shaderName) as { id: number } | undefined
+      .get(reviewerTokenHash, shaderName) as { id: number } | undefined
 
     if (duplicate) {
       throw new Error('You already reviewed this shader recently')
     }
   }
 
   const stmt = db.prepare(
-    `INSERT INTO reviews (shader_name, rating, comment, source, agent_context, user_id, client_ip)
-     VALUES (?, ?, ?, ?, ?, ?, ?)`,
+    `INSERT INTO reviews (
+       shader_name,
+       rating,
+       comment,
+       source,
+       agent_context,
+       user_id,
+       client_ip,
+       reviewer_token_hash
+     ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
   )
   const result = stmt.run(
     shaderName,
@@ -112,6 +135,7 @@ export function addReview(
     agentContext ?? null,
     userId ?? null,
     clientIp ?? null,
+    reviewerTokenHash ?? null,
   )
   return Number(result.lastInsertRowid)
 }

apps/web/src/routes/api/-reviews.ts

@@ -1,5 +1,6 @@
+import { randomBytes, createHash } from 'node:crypto'
 import { createServerFn } from '@tanstack/solid-start'
-import { getRequestIP } from '@tanstack/solid-start/server'
+import { getCookie, getRequestIP, getRequestProtocol, setCookie } from '@tanstack/solid-start/server'
 
 type SubmitReviewInput = {
   shaderName: string
@@ -14,10 +15,34 @@ type GetReviewsInput = {
   shaderName: string
 }
 
+const REVIEWER_COOKIE_NAME = 'shaderbase-reviewer'
+const REVIEWER_COOKIE_MAX_AGE_SECONDS = 60 * 60 * 24 * 365
+
 function getClientIp(): string | null {
   return getRequestIP({ xForwardedFor: true }) ?? null
 }
 
+function hashReviewerToken(token: string): string {
+  return createHash('sha256').update(token).digest('hex')
+}
+
+function getOrCreateReviewerTokenHash(): string | null {
+  let reviewerToken = getCookie(REVIEWER_COOKIE_NAME)
+
+  if (!reviewerToken) {
+    reviewerToken = randomBytes(32).toString('hex')
+    setCookie(REVIEWER_COOKIE_NAME, reviewerToken, {
+      httpOnly: true,
+      maxAge: REVIEWER_COOKIE_MAX_AGE_SECONDS,
+      path: '/',
+      sameSite: 'lax',
+      secure: getRequestProtocol({ xForwardedProto: true }) === 'https',
+    })
+  }
+
+  return reviewerToken ? hashReviewerToken(reviewerToken) : null
+}
+
 export const submitReview = createServerFn({ method: 'POST' })
   .inputValidator((input: SubmitReviewInput) => input)
   .handler(async ({ data }) => {
@@ -31,6 +56,7 @@ export const submitReview = createServerFn({ method: 'POST' })
     }
 
     const clientIp = getClientIp()
+    const reviewerTokenHash = getOrCreateReviewerTokenHash()
 
     const reviewId = addReview(
       data.shaderName,
@@ -40,6 +66,7 @@ export const submitReview = createServerFn({ method: 'POST' })
       data.agentContext ? JSON.stringify(data.agentContext) : null,
       data.userId ?? null,
       clientIp,
+      reviewerTokenHash,
     )
 
     return { ok: true as const, reviewId }