boha_admin/app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 26 Wiki Activity

security: add request body size limits (1MB global, 10KB auth)

Browse Source 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-03-23 08:47:59 +01:00
parent 8aa1d40ba1
commit 333d1f7697
3 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/routes/admin/totp.ts
View File

@@ -29,7 +29,7 @@ export default async function totpRoutes(fastify: FastifyInstance): Promise<void
});
// POST - enable TOTP
fastify.post('/enable', { preHandler: requireAuth }, async (request, reply) => {
fastify.post('/enable', { preHandler: requireAuth, bodyLimit: 10240 }, async (request, reply) => {
const body = request.body as Record<string, unknown>;
const { secret, code } = body;
@@ -121,7 +121,7 @@ export default async function totpRoutes(fastify: FastifyInstance): Promise<void
});
// POST - toggle mandatory 2FA
fastify.post('/required', { preHandler: [requireAuth, requirePermission('settings.security')] }, async (request, reply) => {
fastify.post('/required', { preHandler: [requireAuth, requirePermission('settings.security')], bodyLimit: 10240 }, async (request, reply) => {
const body = request.body as Record<string, unknown>;
const required = body.required === true || body.required === 1 || body.required === '1';
@@ -137,7 +137,7 @@ export default async function totpRoutes(fastify: FastifyInstance): Promise<void
});
// POST - verify backup code (pre-auth, no requireAuth)
fastify.post('/backup-verify', async (request, reply) => {
fastify.post('/backup-verify', { bodyLimit: 10240 }, async (request, reply) => {
const body = request.body as Record<string, unknown>;
const { login_token, code } = body;