Skip to content

Request size limiter#1410

Open
zealsham wants to merge 1 commit intopayjoin:masterfrom
zealsham:body-limit
Open

Request size limiter#1410
zealsham wants to merge 1 commit intopayjoin:masterfrom
zealsham:body-limit

Conversation

@zealsham
Copy link
Copy Markdown
Collaborator

@zealsham zealsham commented Mar 12, 2026
edited
Loading

This pr addresses #941, it implements a body size limit layer to reject request whose size is greater than 65536 bytes.

Pull Request Checklist

Please confirm the following before requesting review:

@coveralls
Copy link
Copy Markdown
Collaborator

coveralls commented Mar 12, 2026
edited
Loading

Pull Request Test Coverage Report for Build 23367463396

Details

  • 4 of 5 (80.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.004%) to 84.121%
Changes Missing Coverage Covered Lines Changed/Added Lines %
payjoin-mailroom/src/directory.rs 4 5 80.0%
Totals Coverage Status
Change from base Build 23300212261: -0.004%
Covered Lines: 10648
Relevant Lines: 12658
💛 - Coveralls

@zealsham zealsham marked this pull request as draft March 12, 2026 18:21
spacebear21
spacebear21 reviewed Mar 13, 2026
View reviewed changes
@zealsham zealsham mentioned this pull request Mar 16, 2026
Closed
@zealsham zealsham marked this pull request as ready for review March 18, 2026 23:55
@zealsham zealsham marked this pull request as draft March 18, 2026 23:58
@zealsham zealsham marked this pull request as ready for review March 19, 2026 15:20
spacebear21
spacebear21 requested changes Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@spacebear21 spacebear21 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are applying the 7168 uniformly across v1 and v2 requests, I don't see the value in extracting v1 routing into its own router? The current approach is also confusing because v1 routing is now seemingly happening in two places, both in v1_post_handler and in directory Service::serve_request

@zealsham
Copy link
Copy Markdown
Collaborator Author

zealsham commented Mar 20, 2026

Since we are applying the 7168 uniformly across v1 and v2 requests, I don't see the value in extracting v1 routing into its own router? The current approach is also confusing because v1 routing is now seemingly happening in two places, both in v1_post_handler and in directory Service::serve_request

I noticed that applying the limiter globally breaked a lot of the integration test. Because the v1 sender never touches the ohttp relay, applying the limiter globally also breaks v2 that communicates via ohttp. my work around was extracting the v1 router (which only applies the limiter) and then route the request to the v1 handlers in the directory.

if we want to still keep the manual size check rather than using tower_http limiter, i can rename v1_max_buffer to max_payload_size , add a size check in post_fallback_v1 and then update the branch name and commit mesage too

@zealsham
Set v1 buffer size to 7168
aad9223 
This PR sets and rename v1_max_buffer_size. The buffer size for
v1 payload is set to 7168 which is same for v2. The variable name
is updated to better reflect what it is. The rationale behind the
change is that it prevents v2 client fetching v1 request from leaking
information about the nature of the request
@zealsham zealsham requested a review from spacebear21 March 23, 2026 16:10
nothingmuch
nothingmuch reviewed Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@nothingmuch nothingmuch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if all handled request bodies have a fixed size bound it might make sense to use an array type to pass them around as this could potentially simplify some conversions, perhaps an argument for fixing the size at 7168

payjoin-mailroom/src/directory.rs
pub const BHTTP_REQ_BYTES: usize =
ENCAPSULATED_MESSAGE_BYTES - (CHACHA20_POLY1305_NONCE_LEN + POLY1305_TAG_SIZE);
const V1_MAX_BUFFER_SIZE: usize = 65536;
pub(crate) const MAX_PAYLOAD_SIZE: usize = 7168;
Copy link
Copy Markdown
Contributor

@nothingmuch nothingmuch Mar 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DanGould has argued correctly that this can be closer to 8104 bytes, but there's a variable element of overhead in OHTTP requests relating to the request URI that makes this a bit tricky. i'm personally happy with this as the limit

@nothingmuch nothingmuch mentioned this pull request Mar 28, 2026
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spacebear21 spacebear21 Awaiting requested review from spacebear21

1 more reviewer

@nothingmuch nothingmuch nothingmuch left review comments

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zealsham @coveralls @nothingmuch @spacebear21