feat(server): explicit + env-tunable express.json() body-size limit#46
Merged
Conversation
express.json()'s default body limit is 100kb. Make that explicit
in the call site and let operators override via JSON_BODY_LIMIT
(e.g. "512kb", "1mb") without having to fork the server.
Caps the body before the parser starts buffering — a basic
memory-exhaustion DoS defense even unauthenticated callers
otherwise have. 100kb is comfortably above any expected payload
in this API (the largest real body is a TimeEntry create with a
teDescription, which the zod schema caps at 10000 chars).
Test: tests/api/body-size-limit.test.js spins up the router behind
express.json({limit:'1kb'}) and verifies a 413 PayloadTooLarge for
a 2kb body, plus a passing path for a small body.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
CryptoJones
added a commit
that referenced
this pull request
May 17, 2026
#46 landed the test but the server.js change was dropped from the commit (uncommitted working-tree state got reset away mid-session before I noticed). This applies the actual server.js change so the env var has somewhere to plug in. app.use(express.json({ limit: process.env.JSON_BODY_LIMIT || '100kb' })); The test in tests/api/body-size-limit.test.js mounts its own express.json({limit:'1kb'}) for ergonomics — it covers the parser behavior server.js depends on without trying to mutate process.env at test-time (vitest's ESM module cache makes env flipping fragile). The test header now says so explicitly. Co-authored-by: Aaron K. Clark <akclark@thenetwerk.net> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
CryptoJones
added a commit
that referenced
this pull request
May 17, 2026
) Continues the housekeeping pattern of #44 — keep the README endpoint table and CHANGELOG \`[Unreleased]\` in sync with merged PRs. README: - Append rows for the four PurchaseOrder/Inventory entities that gained endpoints in #50, #51, #52. CHANGELOG (under \`[Unreleased]\`): - PurchaseOrder + Inventory API rollout (the tracker, #49, and its three PRs) - JSON_BODY_LIMIT env hook (#45 / #46 / #47) - npm audit fix + dep bumps + Snyk PR triage (#30 / #48) Co-authored-by: Aaron K. Clark <akclark@thenetwerk.net> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
CryptoJones
added a commit
that referenced
this pull request
May 18, 2026
…93) `.env.example` had drifted: the runtime reads 17 env vars but only documented 8 of them. New entries cover: - LOG_LEVEL, LOG_PRETTY — pino logger knobs (existed since the initial port; never documented). - RATE_LIMIT_MAX, RATE_LIMIT_WINDOW_MS — express-rate-limit tuning (existed since the brute-force defense PR). - JSON_BODY_LIMIT — body size cap (existed since #46). - HELMET_CSP — opt-in CSP toggle (existed since the helmet PR). - TRUST_PROXY — reverse-proxy XFF trust (existed since the proxy PR). - METRICS_BEARER_TOKEN — new in P4-J. Optional bearer-token gate on /metrics. - SHUTDOWN_TIMEOUT_MS — graceful-shutdown drain budget. All commented-out (leading `#`) with the production-default in the comment so a fresh `cp .env.example .env` doesn't accidentally change behavior; operators uncomment + edit only what they need. No code changes; documentation only. Co-authored-by: Aaron K. Clark <akclark@thenetwerk.net> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #45.
Makes the body-size limit explicit at the call site (100kb default, matching the express default) and adds
JSON_BODY_LIMITenv knob (e.g.JSON_BODY_LIMIT=512kb). Caps body size before the parser buffers — basic DoS defense.Test plan
tests/api/body-size-limit.test.js— 413 for >limit, pass-through for underProudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/