Calbook/app/api/public/buchen/route.ts

export const dynamic = "force-dynamic";

import { createAppointment } from "@/lib/services/appointments";
import { fail, ok } from "@/lib/api";
import { enforceRateLimit } from "@/lib/rate-limit";
import { readJsonBody, validateMutationRequestOrigin } from "@/lib/security/request";

export async function POST(req: Request) {
  const originError = validateMutationRequestOrigin(req);
  if (originError) return originError;

  const limit = enforceRateLimit({
    req,
    scope: "public-book",
    limit: 20,
    windowMs: 60_000
  });

  if (!limit.ok) {
    return fail("Zu viele Buchungsversuche. Bitte kurz warten.", 429, {
      retryAfterSeconds: limit.retryAfterSeconds
    });
  }

  const bodyResult = await readJsonBody(req, { maxBytes: 32 * 1024 });
  if (!bodyResult.ok) return bodyResult.response;

  const result = await createAppointment(bodyResult.data);

  if (!result.ok) {
    return fail(result.message ?? "Buchung fehlgeschlagen", result.status ?? 400, "errors" in result ? result.errors : undefined);
  }

  return ok(result.data, result.status);
}