chore: prepare production deploy with API hardening and Railway adapter

* Harden API routes with rate limits, upload cap, and edit dedupe. Protect expensive endpoints from abuse, reject oversized mood uploads, dedupe concurrent edit-images calls, and surface Kakao search failures instead of silent mock fallback. Co-authored-by: Cursor <cursoragent@cursor.com> * chore: switch to adapter-node for Railway deploy --------- Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-15 10:33:57 +09:00
parent 84c8a0aac9
commit 0f102eb289
14 changed files with 813 additions and 147 deletions
--- a/.env.example
+++ b/.env.example
@@ -26,6 +26,15 @@ SUPABASE_URL=
 SUPABASE_SERVICE_ROLE_KEY=
 SUPABASE_STORAGE_BUCKET=flower-bouquets

+# adapter-node (Railway / any Node host)
+# Default body limit is 512K — mood-analysis allows up to 10 MB.
+BODY_SIZE_LIMIT=10M
+# Public URL after deploy (required for CSRF / form actions).
+# ORIGIN=https://your-app.up.railway.app
+# Real client IP behind Railway's proxy (for rate limiting).
+# ADDRESS_HEADER=x-forwarded-for
+# XFF_DEPTH=1
+
 # Dev seed button: shown only when `npm run dev` (production build hides it).
 # To mute during local dev, set DEV_SEED_MUTED = true in DevSeedButton.svelte.
 # Replace static/dev/bouquet-{s,m,l}.jpg with real photos for richer UI previews.