Bug
src/app/api/ratings/route.ts has no input validation on comment length and no rate limiting.
Issues:
- No comment length limit: Users can submit arbitrarily long comments stored in the DB. Neither the API nor the UI (
RatingWidget.tsx textarea) enforces a max length.
- No rate limiting: Each POST triggers signature recovery + DB read + RPC call + DB upsert. No throttling.
- No pagination on GET: Returns all ratings for a storyline with no limit. Large response for popular storylines.
Fix:
- Add
maxLength on the textarea in RatingWidget.tsx (e.g., 500 chars)
- Validate comment length server-side in the API route
- Add pagination params to GET (e.g.,
?limit=20&offset=0)
- Consider rate limiting via middleware or simple IP-based throttle
Context: Introduced in PR #84 (API) and PR #85 (UI).
Checklist:
Labels: bug, agent/T3
Bug
src/app/api/ratings/route.tshas no input validation on comment length and no rate limiting.Issues:
RatingWidget.tsxtextarea) enforces a max length.Fix:
maxLengthon the textarea inRatingWidget.tsx(e.g., 500 chars)?limit=20&offset=0)Context: Introduced in PR #84 (API) and PR #85 (UI).
Checklist:
npm run lintandnpm run typecheckpassLabels:
bug,agent/T3