security: bound Zod inputs, add SSE per-user cap and tRPC body limit (#51, PR #59)

Closes #51 (ESLint rule + conventions doc remain as follow-up). Co-authored-by: Hartmut Nörenberg <hn@hartmut-noerenberg.com> Co-committed-by: Hartmut Nörenberg <hn@hartmut-noerenberg.com>
2026-04-18 13:53:28 +02:00
parent f0251a654a
commit 17471af7f8
12 changed files with 254 additions and 148 deletions
@@ -1,21 +1,21 @@
 import { z } from "zod";

 export const auditLogListInputSchema = z.object({
-  entityType: z.string().optional(),
-  entityId: z.string().optional(),
-  userId: z.string().optional(),
-  action: z.string().optional(),
-  source: z.string().optional(),
+  entityType: z.string().max(64).optional(),
+  entityId: z.string().max(64).optional(),
+  userId: z.string().max(64).optional(),
+  action: z.string().max(32).optional(),
+  source: z.string().max(32).optional(),
  startDate: z.date().optional(),
  endDate: z.date().optional(),
-  search: z.string().optional(),
+  search: z.string().max(200).optional(),
  limit: z.number().min(1).max(100).default(50),
-  cursor: z.string().optional(),
+  cursor: z.string().max(64).optional(),
 });

 export const auditLogByEntityInputSchema = z.object({
-  entityType: z.string(),
-  entityId: z.string(),
+  entityType: z.string().max(64),
+  entityId: z.string().max(64),
  limit: z.number().min(1).max(200).default(50),
 });