From 2c943872a816adb7a9816e749eace92c4218dd57 Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Fri, 8 Sep 2023 16:48:27 -0500
Subject: [PATCH] media: enforce a filesize limit on uploads

---
 src/config.ts                | 4 ++++
 src/controllers/api/media.ts | 8 ++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/config.ts b/src/config.ts
index de273e5..c92ad05 100644
--- a/src/config.ts
+++ b/src/config.ts
@@ -111,6 +111,10 @@ const Conf = {
 
     return value;
   },
+  /** Max upload size for files in number of bytes. Default 100MiB. */
+  get maxUploadSize() {
+    return Number(Deno.env.get('MAX_UPLOAD_SIZE') || 100 * 1024 * 1024);
+  },
   /** Domain of the Ditto server as a `URL` object, for easily grabbing the `hostname`, etc. */
   get url() {
     return new URL(Conf.localDomain);
diff --git a/src/controllers/api/media.ts b/src/controllers/api/media.ts
index 75b8bd8..aa9db27 100644
--- a/src/controllers/api/media.ts
+++ b/src/controllers/api/media.ts
@@ -5,9 +5,13 @@ import { fileSchema } from '@/schema.ts';
 import { configUploader as uploader } from '@/uploaders/config.ts';
 import { parseBody } from '@/utils/web.ts';
 
+const uploadSchema = fileSchema
+  .refine((file) => !!file.type, 'File type is required.')
+  .refine((file) => file.size <= Conf.maxUploadSize, 'File size is too large.');
+
 const mediaBodySchema = z.object({
-  file: fileSchema.refine((file) => !!file.type),
-  thumbnail: fileSchema.optional(),
+  file: uploadSchema,
+  thumbnail: uploadSchema.optional(),
   description: z.string().optional(),
   focus: z.string().optional(),
 });