media: enforce a filesize limit on uploads

src/config.ts

@@ -111,6 +111,10 @@ const Conf = {
 
     return value;
   },
+  /** Max upload size for files in number of bytes. Default 100MiB. */
+  get maxUploadSize() {
+    return Number(Deno.env.get('MAX_UPLOAD_SIZE') || 100 * 1024 * 1024);
+  },
   /** Domain of the Ditto server as a `URL` object, for easily grabbing the `hostname`, etc. */
   get url() {
     return new URL(Conf.localDomain);

src/controllers/api/media.ts

@@ -5,9 +5,13 @@ import { fileSchema } from '@/schema.ts';
 import { configUploader as uploader } from '@/uploaders/config.ts';
 import { parseBody } from '@/utils/web.ts';
 
+const uploadSchema = fileSchema
+  .refine((file) => !!file.type, 'File type is required.')
+  .refine((file) => file.size <= Conf.maxUploadSize, 'File size is too large.');
+
 const mediaBodySchema = z.object({
-  file: fileSchema.refine((file) => !!file.type),
-  thumbnail: fileSchema.optional(),
+  file: uploadSchema,
+  thumbnail: uploadSchema.optional(),
   description: z.string().optional(),
   focus: z.string().optional(),
 });