Closes the deferrals from Fase 4 that gated a public deploy of the MVP.
PWA install
- Custom SW at apps/web/src/sw.ts (named sw.ts, not service-worker.ts, so
SvelteKit doesn't intercept it and block Workbox imports).
- vite.config.ts switched to injectManifest strategy with precache of the
built shell; no runtime caching of Supabase (offline writes stay on the
existing $lib/sync pending_ops queue).
- Root +layout.svelte onMount() calls registerSW({ immediate: true }) from
virtual:pwa-register — the plugin does not auto-register.
- Web manifest with 192/512/512-maskable icons + iOS meta tags
(apple-mobile-web-app-capable, apple-touch-icon, etc.) in app.html.
- Placeholder icons generated via ImageMagick; replace before public launch
(noted in apps/web/static/icons/README.md).
Kong rate-limit
- /rest/v1/collective_invitations POST: 20/hour per Authorization header.
Anti-spam on invitation creation is the only rate-limit that survived —
auth rate-limits were dropped during execution (see plan §6.3): Keycloak
already provides bruteForceProtected=true on the realm, and stacking a
Kong limit on /auth/v1/token throttled legitimate PKCE code exchanges
during E2E.
- Added 'rate-limiting' to KONG_PLUGINS in docker-compose.dev.yml.
- Discovered: strip_path=true on a full-table path sends "/" upstream and
PostgREST rejects POST to root with PGRST117. Route carries a
request-transformer plugin that rewrites the URI back.
JWT rotation + prod template
- infra/scripts/rotate-jwt.sh signs anon + service_role JWTs with a fresh
48-byte secret via openssl. Prints three values for the operator to
paste; does not touch files.
- Dev secret rotated as a dry-run. Updated both .env (local, gitignored)
and apps/web/.env.development. Existing sessions are invalidated — all
users must re-login once.
- .env.production.example committed with placeholders + rotation notes.
Lighthouse + RLS audit tooling
- `just lighthouse` boots the prod build + Supabase stack and runs
lighthouse CLI against PWA/A11y/Best-Practices.
- `just rls-audit` runs infra/scripts/rls-audit.sh which signs an Eva JWT
(non-member) and GETs 8 REST endpoints — all must return []. Complements
the Vitest rls-audit.test.ts suite.
Tests
- 236 green: 34 pgTAP + 140 Vitest integration + 15 unit + 46 Playwright.
- 1 rate-limit test gated behind RUN_RATE_LIMIT_TESTS=1 (Kong counters are
shared state); run via `just test-rate-limit` which force-recreates Kong
first to reset counters.
- 3 skipped in `just test-all` (2 Realtime presence upstream bug, 1 gated
rate-limit).
Deliberately out of scope: push notifications, CI ephemeral Docker, final
production icons, runtime caching of Supabase (SyncBanner + pending_ops
already covers offline).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
85 lines
3.1 KiB
TypeScript
85 lines
3.1 KiB
TypeScript
/**
|
|
* RL-series: Kong rate-limiting on the invitation endpoint (Fase 6.3)
|
|
*
|
|
* Kong ships with the rate-limiting plugin; we configure `local` policy
|
|
* (single-instance). This test hits the Supabase Kong gateway on localhost
|
|
* and asserts that the 21st POST in the window returns 429.
|
|
*
|
|
* Scope note: we deliberately do NOT rate-limit /auth/v1/* at the Kong layer.
|
|
* Keycloak's native `bruteForceProtected` flag on the `colectivo` realm
|
|
* (maxFailureWaitSeconds=900, failureFactor=30) covers password attacks at the
|
|
* IdP level — the authoritative place. A Kong limit on /auth/v1/token would
|
|
* also throttle legitimate PKCE code exchanges during tests.
|
|
*
|
|
* Threshold (in sync with infra/kong.yml):
|
|
* /rest/v1/collective_invitations POST — 20 per hour per authenticated user
|
|
*/
|
|
import { describe, it, expect } from 'vitest';
|
|
import { createClientAs } from '../src/supabase-clients.js';
|
|
import { ANA_ID, COLLECTIVE_ID } from '../src/seed-constants.js';
|
|
|
|
const KONG = process.env.PUBLIC_SUPABASE_URL ?? 'http://localhost:8001';
|
|
const ANON = process.env.PUBLIC_SUPABASE_ANON_KEY!;
|
|
|
|
// These tests hit Kong's real rate-limit counters (IP + token-based) and
|
|
// consume quota that's shared with the rest of the integration suite. To
|
|
// avoid cross-test pollution in `just test-all`, they're gated behind an
|
|
// explicit env flag and run via `just test-rate-limit` (which also
|
|
// restarts Kong first to ensure a clean counter state).
|
|
const RUN = process.env.RUN_RATE_LIMIT_TESTS === '1';
|
|
const d = RUN ? describe : describe.skip;
|
|
|
|
d('Kong rate-limit — /rest/v1/collective_invitations', () => {
|
|
it('RL-02: 21st invitation POST in an hour returns 429', async () => {
|
|
const ana = await createClientAs(ANA_ID);
|
|
const authHeader = (ana as unknown as { rest: { headers: Record<string, string> } }).rest
|
|
?.headers?.Authorization;
|
|
// Fallback: grab the token manually
|
|
const token = authHeader?.replace('Bearer ', '') ?? (await signBorja());
|
|
|
|
const headers = {
|
|
'Content-Type': 'application/json',
|
|
apikey: ANON,
|
|
Authorization: `Bearer ${token}`,
|
|
Prefer: 'return=representation'
|
|
};
|
|
|
|
for (let i = 0; i < 20; i++) {
|
|
const r = await fetch(`${KONG}/rest/v1/collective_invitations`, {
|
|
method: 'POST',
|
|
headers,
|
|
body: JSON.stringify({
|
|
collective_id: COLLECTIVE_ID,
|
|
role: 'member',
|
|
created_by: ANA_ID
|
|
})
|
|
});
|
|
expect(r.status, `attempt ${i + 1} was 429`).not.toBe(429);
|
|
}
|
|
|
|
const limited = await fetch(`${KONG}/rest/v1/collective_invitations`, {
|
|
method: 'POST',
|
|
headers,
|
|
body: JSON.stringify({
|
|
collective_id: COLLECTIVE_ID,
|
|
role: 'member',
|
|
created_by: ANA_ID
|
|
})
|
|
});
|
|
expect(limited.status).toBe(429);
|
|
}, 60_000);
|
|
});
|
|
|
|
// Helper — sign a minimal authenticated JWT for Ana if we need to fall back.
|
|
async function signBorja(): Promise<string> {
|
|
const { SignJWT } = await import('jose');
|
|
const secret = new TextEncoder().encode(process.env.SUPABASE_JWT_SECRET!);
|
|
return new SignJWT({ role: 'authenticated' })
|
|
.setProtectedHeader({ alg: 'HS256' })
|
|
.setSubject(ANA_ID)
|
|
.setAudience('authenticated')
|
|
.setIssuedAt()
|
|
.setExpirationTime('1h')
|
|
.sign(secret);
|
|
}
|