apply upload limit

2022-07-10 14:19:58 +02:00 · 2022-07-10 14:19:58 +02:00 · 9fcd8e5903
commit 9fcd8e5903
parent c14782310a
4 changed files with 17 additions and 2 deletions
--- a/server/package-lock.json
+++ b/server/package-lock.json
@ -10,6 +10,7 @@
      "license": "MIT",
      "dependencies": {
        "@prisma/client": "^4.0.0",
+        "body-parser": "^1.20.0",
        "dotenv": "^16.0.1",
        "express": "^4.18.1",
        "express-rate-limit": "^6.4.0",
--- a/server/package.json
+++ b/server/package.json
@ -7,8 +7,8 @@
    "test": "run-s test:db:reset test:test",
    "coverage": "run-s test:db:reset test:coverage",
    "test-watch": "dotenv -e .env.test -- vitest unit --coverage",
-    "test:test": "dotenv -e .env.test -- vitest run --no-threads",
-    "test:coverage": "dotenv -e .env.test -- vitest run --no-threads --coverage",
+    "test:test": "dotenv -e .env.test -- vitest run ",
+    "test:coverage": "dotenv -e .env.test -- vitest run --coverage",
    "test:db:reset": "dotenv -e .env.test -- npx prisma migrate reset -f",
    "build": "npx tsc",
    "dev": "npx nodemon ./server.ts | npx pino-colada"
@ -17,6 +17,7 @@
  "license": "MIT",
  "dependencies": {
    "@prisma/client": "^4.0.0",
+    "body-parser": "^1.20.0",
    "dotenv": "^16.0.1",
    "express": "^4.18.1",
    "express-rate-limit": "^6.4.0",
--- a/server/src/app.integration.test.ts
+++ b/server/src/app.integration.test.ts
@ -97,4 +97,13 @@ describe("POST /api/note", () => {
    // at least one response should be 429
    expect(responseCodes).toContain(429);
  });
+
+  it("Applies upload limit to endpoint of 400kb", async () => {
+    const largeNote = {
+      ciphertext: "a".repeat(400 * 1024),
+      hmac: "sample_hmac",
+    };
+    const res = await request(app).post("/api/note").send(largeNote);
+    expect(res.statusCode).toBe(413);
+  });
 });
--- a/server/src/app.ts
+++ b/server/src/app.ts
@ -7,6 +7,7 @@ import rateLimit from "express-rate-limit";
 import pinoHttp from "pino-http";
 import logger from "./logger";
 import prisma from "./client";
+import bodyParser from "body-parser";

 // Initialize middleware clients
 const app: Express = express();
@ -36,6 +37,9 @@ const postLimiter = rateLimit({
  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
 });

+// Apply 400kB upload limit on POST
+app.use(bodyParser.json({ limit: "400k" }));
+
 // Post new encrypted note
 app.post(
  "/api/note/",