From 333d1f7697bb58959044d50bacc87e74495ba7bc Mon Sep 17 00:00:00 2001
From: BOHA <boha@boha.cz>
Date: Mon, 23 Mar 2026 08:47:59 +0100
Subject: [PATCH] security: add request body size limits (1MB global, 10KB
 auth)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/routes/admin/auth.ts | 5 +++--
 src/routes/admin/totp.ts | 6 +++---
 src/server.ts            | 1 +
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/routes/admin/auth.ts b/src/routes/admin/auth.ts
index 8daac5d..152f1db 100644
--- a/src/routes/admin/auth.ts
+++ b/src/routes/admin/auth.ts
@@ -31,6 +31,7 @@ export default async function authRoutes(fastify: FastifyInstance): Promise<void
         timeWindow: '1 minute',
       },
     },
+    bodyLimit: 10240,
   }, async (request, reply) => {
     const { username, password, remember_me } = request.body;
 
@@ -71,7 +72,7 @@ export default async function authRoutes(fastify: FastifyInstance): Promise<void
   });
 
   // POST /api/admin/login/totp
-  fastify.post<{ Body: TotpVerifyRequest }>('/login/totp', async (request, reply) => {
+  fastify.post<{ Body: TotpVerifyRequest }>('/login/totp', { bodyLimit: 10240 }, async (request, reply) => {
     const { login_token, totp_code } = request.body;
 
     if (!login_token || !totp_code) {
@@ -144,7 +145,7 @@ export default async function authRoutes(fastify: FastifyInstance): Promise<void
   });
 
   // POST /api/admin/refresh
-  fastify.post('/refresh', async (request, reply) => {
+  fastify.post('/refresh', { bodyLimit: 10240 }, async (request, reply) => {
     const refreshTokenRaw = request.cookies.refresh_token;
     if (!refreshTokenRaw) {
       return error(reply, 'Refresh token chybí', 401);
diff --git a/src/routes/admin/totp.ts b/src/routes/admin/totp.ts
index f46de38..9143e47 100644
--- a/src/routes/admin/totp.ts
+++ b/src/routes/admin/totp.ts
@@ -29,7 +29,7 @@ export default async function totpRoutes(fastify: FastifyInstance): Promise<void
   });
 
   // POST - enable TOTP
-  fastify.post('/enable', { preHandler: requireAuth }, async (request, reply) => {
+  fastify.post('/enable', { preHandler: requireAuth, bodyLimit: 10240 }, async (request, reply) => {
     const body = request.body as Record<string, unknown>;
     const { secret, code } = body;
 
@@ -121,7 +121,7 @@ export default async function totpRoutes(fastify: FastifyInstance): Promise<void
   });
 
   // POST - toggle mandatory 2FA
-  fastify.post('/required', { preHandler: [requireAuth, requirePermission('settings.security')] }, async (request, reply) => {
+  fastify.post('/required', { preHandler: [requireAuth, requirePermission('settings.security')], bodyLimit: 10240 }, async (request, reply) => {
     const body = request.body as Record<string, unknown>;
 
     const required = body.required === true || body.required === 1 || body.required === '1';
@@ -137,7 +137,7 @@ export default async function totpRoutes(fastify: FastifyInstance): Promise<void
   });
 
   // POST - verify backup code (pre-auth, no requireAuth)
-  fastify.post('/backup-verify', async (request, reply) => {
+  fastify.post('/backup-verify', { bodyLimit: 10240 }, async (request, reply) => {
     const body = request.body as Record<string, unknown>;
     const { login_token, code } = body;
 
diff --git a/src/server.ts b/src/server.ts
index 8b686df..8833a04 100644
--- a/src/server.ts
+++ b/src/server.ts
@@ -35,6 +35,7 @@ const app = Fastify({
     level: config.isProduction ? 'warn' : 'info',
   },
   trustProxy: true,
+  bodyLimit: 1048576,
 });
 
 async function start() {