Skip to content

Fix/json body limit and jwt exp validation#940

Merged
ogazboiz merged 3 commits into
LabsCrypt:mainfrom
Litezy:fix/json-body-limit-and-jwt-exp-validation
Jul 1, 2026
Merged

Fix/json body limit and jwt exp validation#940
ogazboiz merged 3 commits into
LabsCrypt:mainfrom
Litezy:fix/json-body-limit-and-jwt-exp-validation

Conversation

@Litezy

@Litezy Litezy commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Closes #826
Closes #827

Summary

  • Set an explicit 1mb limit on express.json() in app.ts — documents
    intent and caps the JSON-parse DoS surface (was silently defaulting to 100 kb).
  • Guard payload.exp in verifyJwt with a typeof check before the
    numeric comparison — previously a signature-valid token with no exp field
    evaluated undefined < number → false and was accepted forever.

@ogazboiz

ogazboiz commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

heads up: main's ci was broken (the Backend CI and Backend Docker Image CI jobs) until the fixes in #969 and #974 just landed, so the red backend/docker checks on this pr are almost certainly stale, they ran against the broken main. please rebase to re-test against the now-green main: git fetch origin && git rebase origin/main && git push --force-with-lease. once it's green i'll review and merge. (if a non-backend check like Frontend CI is still red after the rebase, that part is a real issue worth a look, since frontend ci was passing on main.)

@ogazboiz ogazboiz merged commit 241c87d into LabsCrypt:main Jul 1, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

2 participants