Fix test suite and improve security documentation

- Removed broken test that referenced deleted customEndpointHandler - Removed unused import for createPayloadRequest - Added production security best practices to README including API key authentication example - Added rate limiting example for production use - Added client-side caching recommendations for performance optimization 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-10 02:43:25 +00:00 · 2025-10-03 14:24:10 +02:00
parent a6712666af
commit 118f1ee2ed
2 changed files with 71 additions and 18 deletions
--- a/README.md
+++ b/README.md
@@ -176,6 +176,44 @@ access: {
 }
 ```

+**Production Security Best Practices:**
+
+For production environments, consider implementing these additional security measures:
+
+```typescript
+// Example: API key authentication for external services
+collectionOverrides: {
+  access: {
+    read: ({ req }) => {
+      // Check for API key in headers for service-to-service calls
+      const apiKey = req.headers['x-api-key']
+      if (apiKey && apiKey === process.env.FEATURE_FLAGS_API_KEY) {
+        return true
+      }
+      // Fall back to user authentication
+      return !!req.user
+    }
+  }
+}
+```
+
+**Rate Limiting:** Use Payload's built-in rate limiting or implement middleware:
+
+```typescript
+// Example with express-rate-limit
+import rateLimit from 'express-rate-limit'
+
+const featureFlagLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // Limit each IP to 100 requests per windowMs
+  standardHeaders: true,
+  legacyHeaders: false,
+})
+
+// Apply to your API routes
+app.use('/api/feature-flags', featureFlagLimiter)
+```
+
 **Important:** The plugin uses Payload's native REST API for the collection, which respects all access control rules.

 ## Usage
@@ -448,6 +486,38 @@ if (flag.enabled && flag.variants) {
 }
 ```

+## Performance Considerations
+
+### Client-Side Caching
+
+For improved performance, consider implementing client-side caching when fetching feature flags:
+
+```typescript
+// Example: Simple cache with TTL
+class FeatureFlagCache {
+  private cache = new Map<string, { data: any; expiry: number }>()
+  private ttl = 5 * 60 * 1000 // 5 minutes
+
+  async get(key: string, fetcher: () => Promise<any>) {
+    const cached = this.cache.get(key)
+    if (cached && cached.expiry > Date.now()) {
+      return cached.data
+    }
+
+    const data = await fetcher()
+    this.cache.set(key, { data, expiry: Date.now() + this.ttl })
+    return data
+  }
+}
+
+const flagCache = new FeatureFlagCache()
+
+// Use with the hooks
+const flags = await flagCache.get('all-flags', () =>
+  fetch('/api/feature-flags?limit=1000').then(r => r.json())
+)
+```
+
 ## Migration

 ### Disabling the Plugin