boha_admin/app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 26 Wiki Activity

security: add request body size limits (1MB global, 10KB auth)

Browse Source 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-03-23 08:47:59 +01:00
parent 8aa1d40ba1
commit 333d1f7697
3 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/routes/admin/auth.ts
View File

@@ -31,6 +31,7 @@ export default async function authRoutes(fastify: FastifyInstance): Promise<void
timeWindow: '1 minute',
},
},
bodyLimit: 10240,
}, async (request, reply) => {
const { username, password, remember_me } = request.body;
@@ -71,7 +72,7 @@ export default async function authRoutes(fastify: FastifyInstance): Promise<void
});
// POST /api/admin/login/totp
fastify.post<{ Body: TotpVerifyRequest }>('/login/totp', async (request, reply) => {
fastify.post<{ Body: TotpVerifyRequest }>('/login/totp', { bodyLimit: 10240 }, async (request, reply) => {
const { login_token, totp_code } = request.body;
if (!login_token || !totp_code) {
@@ -144,7 +145,7 @@ export default async function authRoutes(fastify: FastifyInstance): Promise<void
});
// POST /api/admin/refresh
fastify.post('/refresh', async (request, reply) => {
fastify.post('/refresh', { bodyLimit: 10240 }, async (request, reply) => {
const refreshTokenRaw = request.cookies.refresh_token;
if (!refreshTokenRaw) {
return error(reply, 'Refresh token chybí', 401);