Add MaxBodySize middleware and update .gitignore for config files

2025-04-20 01:29:13 -05:00
parent 2d724763e1
commit bd455f1782
5 changed files with 45 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -25,4 +25,7 @@ go.work
 tmp/*

 # Ignore the build
-member-console
+member-console
+
+# Ignore config files
+site/member-console.yaml
--- a/README.md
+++ b/README.md
@ -7,6 +7,7 @@ Member console application for users to create, acccess, and manage their accoun
 - [ ] Implement backchannel logout
 - [ ] Implement CSRF tokens
 - [ ] Make sure viper's 'env' key will work correctly in production
+- [ ] Should session-secret be generated on startup instead of in the config file?

 ---

--- a/cmd/start.go
+++ b/cmd/start.go
@ -38,6 +38,7 @@ var startCmd = &cobra.Command{
 		stack := middleware.CreateStack(
 			middleware.SecureHeaders,
 			middleware.Logging,
+			middleware.MaxBodySize(1024*1024), // 1MB size limit
 			authConfig.Middleware(),
 		)

--- a/internal/middleware/security.go
+++ b/internal/middleware/security.go
@ -49,3 +49,29 @@ func CSRFMiddleware(store sessions.Store) Middleware {
 		})
 	}
 }
+
+// MaxBodySize limits the maximum size of request bodies
+// size parameter is in bytes
+func MaxBodySize(maxSize int64) Middleware {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Skip restricting GET, HEAD, and OPTIONS requests as they shouldn't have bodies
+			if r.Method == http.MethodGet || r.Method == http.MethodHead || r.Method == http.MethodOptions {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Check Content-Length header first for efficiency
+			if r.ContentLength > maxSize {
+				http.Error(w, "Request body too large", http.StatusRequestEntityTooLarge)
+				return
+			}
+
+			// If Content-Length is not set or potentially spoofed, use LimitReader
+			r.Body = http.MaxBytesReader(w, r.Body, maxSize)
+
+			// Continue to next middleware/handler
+			next.ServeHTTP(w, r)
+		})
+	}
+}
--- a/site/sample.member-console.yaml
+++ b/site/sample.member-console.yaml
@ -0,0 +1,13 @@
+# WARNING - DO NOT USE THIS IN PRODUCTION
+# This is a local development configuration file
+# It is used to configure the member console application
+# to connect to the local Keycloak server
+# This file is not secure and should not be used in production
+# It is only used for local development purposes only
+
+port: 8081
+client-id: "member-console"
+client-secret: ""
+issuer-url: "http://localhost:8080/realms/master"
+hostname: "http://localhost:8081"
+session-secret: ""