chore: backport security improvements from audit#18
Merged
Conversation
FastAPI/Starlette has no default body size limit. Add a middleware that returns 413 when Content-Length exceeds 1MB, protecting against unbounded JSON payload DoS.
Wrap fastapi-users current_active_user and current_superuser so every log emitted during an authenticated request automatically carries user_id alongside request_id. No caller changes required.
Demonstrates the Field(max_length=...) pattern on NoteBase.body (10k chars) and UserCreate/UserUpdate.name (100 chars). Unbounded string inputs allow malicious clients to store arbitrarily large values. Response schemas (UserRead) are left unbounded since the data originates from our own DB.
- CI: restrict GITHUB_TOKEN to contents:read (least privilege) - .github/CODEOWNERS catch-all placeholder for review enforcement
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Backports template-level fixes discovered during a security / analytics / legal audit across projects spawned from this template. Full plan in
BACKPORT_FROM_AUDIT.md(templates root).Changes
Security
feat: 1MB request body size middleware inapp/main.py. FastAPI/Starlette enforces no default limit, so without this a malicious client could POST a multi-GB JSON payload and the server would happily try to parse it. Returns HTTP 413 whenContent-Lengthexceeds the threshold.feat(schemas): addField(max_length=...)bounds to user-supplied strings.NoteBase.body→ 10,000 chars (was unbounded)UserCreate.name/UserUpdate.name→ 100 chars (were unbounded)UserRead.nameintentionally left unbounded (response shape, data originates from our DB)Observability
feat(logging): binduser_idto structlog contextvars on authentication. Wraps the fastapi-userscurrent_active_userandcurrent_superuserdependencies transparently so every log emitted during an authenticated request carriesuser_idalongside the existingrequest_id. No caller changes required — the wrapping happens at the symbol level inapp/auth/users.pyand FastAPI's DI chain handles the rest.Scaffolding
chore: add top-levelpermissions: contents: readto.github/workflows/ci.yml(least-privilegeGITHUB_TOKEN).chore: add.github/CODEOWNERScatch-all placeholder (* @amrtgaber) so spawned projects get review enforcement from day one.Test plan
uv run ruff check .— cleanuv run ruff format --check .— cleanuv run pytest— 21/21 passingContent-Length: 2000000and verify 413 responseuser_idappears in structured log output alongsiderequest_id