fix: security hardening + performance refactoring (code review batch 1)

- IDOR fix: deliberation vote now verifies juryMemberId === ctx.user.id - Rate limiting: tRPC middleware (100/min), AI endpoints (5/hr), auth IP-based (10/15min) - 6 compound indexes added to Prisma schema - N+1 eliminated in processRoundClose (batch updateMany/createMany) - N+1 eliminated in batchCheckRequirementsAndTransition (3 batch queries) - Service extraction: juror-reassignment.ts (578 lines) - Dead code removed: award.ts, cohort.ts, decision.ts (680 lines) - 35 bare catch blocks replaced across 16 files - Fire-and-forget async calls fixed - Notification false positive bug fixed Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 16:18:24 +01:00
parent a8b8643936
commit b85a9b9a7b
32 changed files with 1032 additions and 1355 deletions
--- a/src/app/api/auth/check-email/route.ts
+++ b/src/app/api/auth/check-email/route.ts
@@ -1,13 +1,24 @@
 import { NextRequest, NextResponse } from 'next/server'
 import { prisma } from '@/lib/prisma'
+import { checkRateLimit } from '@/lib/rate-limit'

 /**
 * Pre-check whether an email exists before sending a magic link.
 * This is a closed platform (no self-registration) so revealing
 * email existence is acceptable and helps users who mistype.
+ * Rate-limited to 10 requests per 15 minutes per IP.
 */
 export async function POST(req: NextRequest) {
  try {
+    const ip = req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? 'unknown'
+    const rateResult = checkRateLimit(`check-email:${ip}`, 10, 15 * 60 * 1000)
+    if (!rateResult.success) {
+      return NextResponse.json(
+        { exists: false, error: 'Too many requests' },
+        { status: 429 },
+      )
+    }
+
    const { email } = await req.json()
    if (!email || typeof email !== 'string') {
      return NextResponse.json({ exists: false }, { status: 400 })