Skip to content

feat: harden share page with no-referrer + global rate limit#147

Merged
tomasz-tomczyk merged 1 commit intomainfrom
share-page-hardening
Apr 30, 2026
Merged

feat: harden share page with no-referrer + global rate limit#147
tomasz-tomczyk merged 1 commit intomainfrom
share-page-hardening

Conversation

@tomasz-tomczyk
Copy link
Copy Markdown
Owner

@tomasz-tomczyk tomasz-tomczyk commented Apr 30, 2026

Summary

  • Send Referrer-Policy: no-referrer on private routes (review page, dashboard, settings, overview, CLI auth, all /api/*). External link clicks from a rendered review no longer leak the secret URL via the Referer header. Combined into the existing :noindex pipeline.
  • Add CritWeb.Plugs.RateLimit — a global per-IP backstop, 180/min default, Hammer-backed. Returns 429 with Retry-After: 60 and a JSON or text body per a :response opt. Installed on :browser (text) and :api / :device_api / :auth_api (json).
  • Existing tighter limiters (POST /api/reviews 30/min, /api/reviews 404 10/5min) stay layered on top via separate Hammer buckets — same module, different keys.
  • Bypassed in tests via config :crit, CritWeb.Plugs.RateLimit, disabled: true — shared 127.0.0.1 across the suite would otherwise trip the limiter.

Review

  • Interactive crit review: approved (0 comments)
  • Elixir expert review: feedback addressed (response opt instead of format auto-detect, Retry-After header, deterministic test IPs)
  • Parity audit: N/A (server-side only)

Test plan

  • `mix precommit` green (515 tests, sobelow clean, deps audit clean)
  • New plug tests cover: under-limit allow, over-limit 429 (text + JSON), per-IP isolation, E2E env bypass, suite-default disabled bypass, `init/1` rejects unknown `:response`
  • `/r/:token` test asserts both `Referrer-Policy: no-referrer` and `x-robots-tag: noindex` on the response

🤖 Generated with Claude Code

@tomasz-tomczyk @claude
feat: harden share page with no-referrer + global rate limit
b11c4f8 
Set Referrer-Policy: no-referrer on private routes (combined into the
existing :noindex pipeline) so external link clicks from a rendered
review page don't leak the secret URL via the Referer header.

Add CritWeb.Plugs.RateLimit — a global per-IP backstop (180/min default,
Hammer-backed) on :browser, :api, :device_api, and :auth_api pipelines.
Returns 429 with Retry-After: 60 and a JSON or text body per the
:response opt. Existing tighter limiters (POST /api/reviews 30/min,
/api/reviews 404 10/5min) stay layered on top.

Bypassed in tests via config :crit, CritWeb.Plugs.RateLimit, disabled:
true — shared 127.0.0.1 across the suite would otherwise trip the
limiter.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 30, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.37%. Comparing base (2f4a3ee) to head (b11c4f8).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #147      +/-   ##
==========================================
+ Coverage   77.13%   77.37%   +0.23%     
==========================================
  Files          54       55       +1     
  Lines        1636     1653      +17     
==========================================
+ Hits         1262     1279      +17     
  Misses        374      374
Flag Coverage Δ
unit 77.37% <100.00%> (+0.23%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@tomasz-tomczyk tomasz-tomczyk merged commit 78267d9 into main Apr 30, 2026
4 checks passed
@tomasz-tomczyk tomasz-tomczyk deleted the share-page-hardening branch April 30, 2026 14:29
@tomasz-tomczyk tomasz-tomczyk mentioned this pull request Apr 30, 2026
Merged
4 tasks
tomasz-tomczyk added a commit that referenced this pull request Apr 30, 2026
@tomasz-tomczyk @claude
fix: add reply UI to review-level comments + always center on web (#150)
bc1813f 
Two parity gaps from #147 (closes crit/#374):

1. Review-level comment cards on crit-web didn't expose a reply input,
   only line-anchored cards did. Round-trip tests passed because they
   exercised the API directly. Adds renderReplyList + createReplyInput
   to the inline review-conversation card, matching the line-anchored
   render path.

2. crit-web has no git-mode equivalent — every review is doc-style.
   Drop the multi-file branch in renderReviewConversation and always
   set data-doc-layout="centered" so the Review conversation block
   centers consistently with the rest of the document.

Adds a LiveView test that exercises the add_reply event end-to-end
on a review-scope comment to lock the parity.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tomasz-tomczyk