Code-review follow-ups: httputil, validation caps, a11y
Backend: - Extract shared internal/httputil (WriteJSON/ErrorJSON/BadRequest/ ServerError); drop the triple-duplicated helpers in docs, suggestions, vocab. ServerError now logs the real error and returns a generic 500 so raw DB/internal errors never reach the client. - vocab capture: validate doc_id ownership (blank -> none, unknown -> 400 instead of a leaked FK 500); rune-safe clamp word/gloss/definition/ phonetic/example. - vocab review(): wrap the read-modify-write in a transaction (TOCTOU). - /api request-size cap via MaxBytesReader middleware (2 MiB), exempting /api/images (own 10 MiB limit). Frontend: - StatusBar: drive the checking/voicing/collocating indicators from one array; llmDown uses !anyBusy. - Slide-overs: new useFocusTrap hook (focus-in, Tab trap, focus-restore) on GardenPanel + HistoryPanel, both role=dialog/aria-modal/aria-label. - speech.ts: export stopSpeech(); GardenPanel cancels audio on unmount. Tests: add doc_id-validation and field-clamp coverage; full suite green. Claude-Session: https://claude.ai/code/session_016Yr6jELuRc7hyzYLccQKZd
This commit is contained in:
@@ -48,6 +48,11 @@ func main() {
|
||||
log.Printf("frontend build version %s", version)
|
||||
|
||||
r.Route("/api", func(api chi.Router) {
|
||||
// Cap request bodies so a runaway or hostile client can't stream an
|
||||
// unbounded payload into a JSON decoder. Image uploads carry their own
|
||||
// (larger) limit inside the images handler, so they're exempt here.
|
||||
api.Use(limitBody(maxAPIBodyBytes, "/api/images"))
|
||||
|
||||
api.Get("/health", func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
_, _ = w.Write([]byte(`{"status":"ok"}`))
|
||||
@@ -114,6 +119,32 @@ func main() {
|
||||
}
|
||||
}
|
||||
|
||||
// maxAPIBodyBytes caps a JSON API request body at 2 MiB. That's far above any
|
||||
// real document save (the body is text plus lightweight marks; images upload
|
||||
// separately by reference) while still bounding abuse. Exceeding it makes the
|
||||
// handler's json.Decode fail, which surfaces as a 400.
|
||||
const maxAPIBodyBytes = 2 << 20
|
||||
|
||||
// limitBody wraps each request body in an http.MaxBytesReader so handlers can't
|
||||
// be made to read an unbounded payload. Paths under any of exemptPrefixes are
|
||||
// left alone (e.g. image uploads, which set their own, larger limit).
|
||||
func limitBody(max int64, exemptPrefixes ...string) func(http.Handler) http.Handler {
|
||||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
for _, p := range exemptPrefixes {
|
||||
if strings.HasPrefix(r.URL.Path, p) {
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
}
|
||||
if r.Body != nil {
|
||||
r.Body = http.MaxBytesReader(w, r.Body, max)
|
||||
}
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// buildVersion derives a short, stable identifier for the currently embedded
|
||||
// frontend by hashing dist/index.html. Vite stamps content-hashed asset names
|
||||
// into that file each build, so the digest is a reliable "did the deploy
|
||||
|
||||
Reference in New Issue
Block a user