backend: enforce request body size and JSON string-length validation via middleware

[EmeditWeb]

Close #639

Title
Enforce input length limits across backend endpoints

Summary

I added centralized request body size and per-field JSON string-length validation to prevent overly large payloads and inconsistent field lengths across API endpoints.

Files Changed

• validation.rs
• middleware.rs
• app.rs

Details

• Introduces centralized limits:
  • DEFAULT_MAX_BODY_BYTES (16 KiB) — request body byte cap.
  • DEFAULT_MAX_FIELD_LENGTH (1024 chars) — per-string field cap inside JSON.
• Adds validate_json_string_lengths(...) in validation.rs to recursively check JSON string lengths and collect field-level errors.
• Adds enforce_max_request_size middleware in middleware.rs:
  • Rejects requests with Content-Length or actual body size > DEFAULT_MAX_BODY_BYTES (HTTP 413).
  • For Content-Type: application/json, parses the body and rejects when any JSON string exceeds DEFAULT_MAX_FIELD_LENGTH (HTTP 400) with a fields object detailing violations.
  • Reconstructs the request body so downstream handlers receive the original payload.
• Registers the middleware in app.rs so it runs globally before handlers.

Motivation / Risk

• Ensures consistent validation across all endpoints, reducing buffer/DoS/data-integrity risks.
• Middleware-based approach avoids the need to update every handler manually.
• Note: limits are currently hardcoded constants for simplicity; can be made environment-configurable if desired.

Testing (step-by-step)

1. Build/check locally:

cd backend
cargo check

2. Run the service (example):

cd backend
cargo run
# or use your standard run command for the backend service

3. Verify overall body-size rejection (expect HTTP 413):

# create payload > 16 KiB
python3 - <<'PY' > /tmp/big.json
import json
s = "A" * (17*1024)
print(json.dumps({"big": s}))
PY

curl -i -X POST http://localhost:3000/api/some/endpoint \
  -H "Content-Type: application/json" \
  --data-binary @/tmp/big.json
# Expect 413 Payload Too Large and JSON error response

4. Verify per-field string-length rejection (expect HTTP 400):

python3 - <<'PY' > /tmp/long_field.json
import json
s = "B" * 2000
print(json.dumps({"name": s}))
PY

curl -i -X POST http://localhost:3000/api/some/endpoint \
  -H "Content-Type: application/json" \
  --data-binary @/tmp/long_field.json
# Expect 400 Bad Request and JSON body with "fields" listing the offending path(s)

5. Verify normal requests succeed:

curl -i -X POST http://localhost:3000/api/some/endpoint \
  -H "Content-Type: application/json" \
  -d '{"name":"short","message":"ok"}'
# Expect normal handler response (200 or handler-specific)

[drips-wave]

@EmeditWeb Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits