Skip to content

feat: request body limit #1150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

feat: request body limit #1150

wants to merge 2 commits into from
+251 −0

Conversation

@productdevbook
Copy link
Member

Summary

This PR introduces a new plugin system for limiting request body sizes in H3 applications, addressing the issue raised in #859.

Features

  • 🔌 Plugin-based approach for flexible body size limiting
  • 🎯 Route-specific limits with include/exclude patterns
  • ⚡ Performance-optimized with Content-Length header checking
  • 🧪 Comprehensive test coverage

Usage

import { defineBodySizeLimitPlugin } from "h3";

const bodySizeLimit = defineBodySizeLimitPlugin({
  maxSize: 1024 * 1024, // 1MB
  routes: ["/api/upload", /^\/api\/files/],
  exclude: ["/api/large-upload"]
});

app.register(bodySizeLimit);

Why Plugin Approach?

Instead of adding maxBodySize directly to route definitions, this plugin approach provides:

  • Better performance (no overhead when not needed)
  • More flexibility (apply to multiple routes at once)
  • Cleaner separation of concerns
  • Easy to enable/disable globally

Test Coverage

  • ✅ Global body size limiting
  • ✅ Route-specific limiting with patterns
  • ✅ Route exclusion functionality
  • ✅ Integration with defineRoute

Closes #859

@productdevbook
feat: add defineBodySizeLimitPlugin for request body size limiting
42f262a 
- Create a plugin-based approach for body size limiting
- Support route-specific limits with include/exclude patterns
- Add comprehensive tests for the plugin
- Addresses #859
@productdevbook productdevbook requested a review from pi0 as a code owner July 7, 2025 09:19
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jul 7, 2025
edited
Loading

Deploying h3dev with  Cloudflare Pages  Cloudflare Pages

Latest commit: 30c23e9
Status: ✅  Deploy successful!
Preview URL: https://76ed8f69.h3dev.pages.dev
Branch Preview URL: https://feat-body-size-limit-plugin.h3dev.pages.dev

View logs

@codecov
Copy link

codecov bot commented Jul 7, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

📢 Thoughts on this report? Let us know!

OskarLebuda
OskarLebuda requested changes Jul 7, 2025
View reviewed changes
@productdevbook productdevbook marked this pull request as draft July 7, 2025 10:33
pi0
pi0 reviewed Jul 7, 2025
View reviewed changes
src/utils/body-limit.ts
* app.register(bodySizeLimit);
* ```
*/
export function defineBodySizeLimitPlugin(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be a middleware not a plugin to apply in places needed.

With middleware, pattern and route matching can be defined also on definition therefore we do not need to (re)implement logic inside this utility.

pi0
pi0 reviewed Jul 7, 2025
View reviewed changes
src/utils/body-limit.ts
}

// Check Content-Length header first
const contentLength = event.req.headers.get("content-length");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not a safe implementation as @OskarLebuda pointed out. content-length can be faked.

We need to both check header and transform body stream into another controller that force-stops reading body as soon as max length is reached.

pi0
pi0 requested changes Jul 7, 2025
View reviewed changes
Copy link
Member

@pi0 pi0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for PR ❤️ We need some changes:

  • Implementation should return a middleware
  • Implementation should not do pattern matching (middleware already do it)
  • Implementation should also validate stream length other than simple header check

@pi0 pi0 changed the title feat: add defineBodySizeLimitPlugin for request body size limiting feat: request body limit Jul 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pi0 pi0 pi0 requested changes

@OskarLebuda OskarLebuda OskarLebuda requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Limit upload size

3 participants

@productdevbook @pi0 @OskarLebuda