diff --git a/server/package-lock.json b/server/package-lock.json index 28f8a57..a162456 100644 --- a/server/package-lock.json +++ b/server/package-lock.json @@ -10,6 +10,7 @@ "license": "MIT", "dependencies": { "@prisma/client": "^4.0.0", + "body-parser": "^1.20.0", "dotenv": "^16.0.1", "express": "^4.18.1", "express-rate-limit": "^6.4.0", diff --git a/server/package.json b/server/package.json index f0ded55..35e245a 100644 --- a/server/package.json +++ b/server/package.json @@ -7,8 +7,8 @@ "test": "run-s test:db:reset test:test", "coverage": "run-s test:db:reset test:coverage", "test-watch": "dotenv -e .env.test -- vitest unit --coverage", - "test:test": "dotenv -e .env.test -- vitest run --no-threads", - "test:coverage": "dotenv -e .env.test -- vitest run --no-threads --coverage", + "test:test": "dotenv -e .env.test -- vitest run ", + "test:coverage": "dotenv -e .env.test -- vitest run --coverage", "test:db:reset": "dotenv -e .env.test -- npx prisma migrate reset -f", "build": "npx tsc", "dev": "npx nodemon ./server.ts | npx pino-colada" @@ -17,6 +17,7 @@ "license": "MIT", "dependencies": { "@prisma/client": "^4.0.0", + "body-parser": "^1.20.0", "dotenv": "^16.0.1", "express": "^4.18.1", "express-rate-limit": "^6.4.0", diff --git a/server/src/app.integration.test.ts b/server/src/app.integration.test.ts index 3ea2c1e..e6ebb4e 100644 --- a/server/src/app.integration.test.ts +++ b/server/src/app.integration.test.ts @@ -97,4 +97,13 @@ describe("POST /api/note", () => { // at least one response should be 429 expect(responseCodes).toContain(429); }); + + it("Applies upload limit to endpoint of 400kb", async () => { + const largeNote = { + ciphertext: "a".repeat(400 * 1024), + hmac: "sample_hmac", + }; + const res = await request(app).post("/api/note").send(largeNote); + expect(res.statusCode).toBe(413); + }); }); diff --git a/server/src/app.ts b/server/src/app.ts index a0ef8ef..439a334 100644 --- a/server/src/app.ts +++ b/server/src/app.ts @@ -7,6 +7,7 @@ import rateLimit from "express-rate-limit"; import pinoHttp from "pino-http"; import logger from "./logger"; import prisma from "./client"; +import bodyParser from "body-parser"; // Initialize middleware clients const app: Express = express(); @@ -36,6 +37,9 @@ const postLimiter = rateLimit({ legacyHeaders: false, // Disable the `X-RateLimit-*` headers }); +// Apply 400kB upload limit on POST +app.use(bodyParser.json({ limit: "400k" })); + // Post new encrypted note app.post( "/api/note/",