working ish wihotu cookies

2026-01-27 23:03:31 -06:00
parent e06087e19f
commit bf59155c1e
8 changed files with 198 additions and 14 deletions
--- a/src/app/api/room/create/route.ts
+++ b/src/app/api/room/create/route.ts
@@ -1,7 +1,37 @@
 import { NextResponse } from 'next/server';
 import { createRoom } from '@/lib/rooms';
+import { rateLimit, getClientIdentifier } from '@/lib/rate-limit';
+import { createRoomSchema } from '@/lib/validation';

-export async function POST() {
-  const { code, moderatorId } = createRoom();
-  return NextResponse.json({ code, moderatorId });
+export async function POST(req: Request) {
+  try {
+    // Rate limit: max 5 rooms per IP per hour
+    const clientId = getClientIdentifier(req);
+    const rateLimitResult = rateLimit(`create:${clientId}`, 5, 3600000);
+    
+    if (!rateLimitResult.success) {
+      return NextResponse.json(
+        { error: 'Too many rooms created. Try again later.' },
+        { status: 429 }
+      );
+    }
+
+    // Validate request (empty body is fine for create)
+    const body = await req.json().catch(() => ({}));
+    createRoomSchema.parse(body);
+
+    const { code, moderatorId } = createRoom();
+    
+    return NextResponse.json({ 
+      code, 
+      moderatorId,
+      remaining: rateLimitResult.remaining 
+    });
+  } catch (error: unknown) {
+    console.error('Create room error:', error);
+    return NextResponse.json(
+      { error: 'Failed to create room' },
+      { status: 400 }
+    );
+  }
 }
--- a/src/app/api/room/join/route.ts
+++ b/src/app/api/room/join/route.ts
@@ -1,13 +1,47 @@
 import { NextResponse } from 'next/server';
 import { joinRoom } from '@/lib/rooms';
+import { rateLimit, getClientIdentifier } from '@/lib/rate-limit';
+import { joinRoomSchema } from '@/lib/validation';

 export async function POST(req: Request) {
-  const { code, playerName } = await req.json();
-  const result = joinRoom(code, playerName);
-  
-  if (!result) {
-    return NextResponse.json({ error: 'Room not found' }, { status: 404 });
+  try {
+    // Rate limit: max 20 join attempts per IP per minute
+    const clientId = getClientIdentifier(req);
+    const rateLimitResult = rateLimit(`join:${clientId}`, 20, 60000);
+    
+    if (!rateLimitResult.success) {
+      return NextResponse.json(
+        { error: 'Too many attempts. Slow down.' },
+        { status: 429 }
+      );
+    }
+
+    const body = await req.json();
+    const validatedData = joinRoomSchema.parse(body);
+    
+    const result = joinRoom(validatedData.code, validatedData.playerName);
+    
+    if (!result) {
+      return NextResponse.json(
+        { error: 'Room not found or inactive' },
+        { status: 404 }
+      );
+    }
+    
+    return NextResponse.json(result);
+  } catch (error: any) {
+    console.error('Join room error:', error);
+    
+    if (error.name === 'ZodError') {
+      return NextResponse.json(
+        { error: error.errors[0].message },
+        { status: 400 }
+      );
+    }
+    
+    return NextResponse.json(
+      { error: 'Invalid request' },
+      { status: 400 }
+    );
  }
-  
-  return NextResponse.json(result);
 }