Skip to content

fix: cap expires in and return bad request#1020

Merged
ferhatelmas merged 1 commit intomasterfrom
ferhat/cap-expires
Apr 15, 2026
Merged

fix: cap expires in and return bad request#1020
ferhatelmas merged 1 commit intomasterfrom
ferhat/cap-expires

Conversation

@ferhatelmas
Copy link
Copy Markdown
Member

@ferhatelmas ferhatelmas commented Apr 15, 2026

What kind of change does this PR introduce?

fix

What is the current behavior?

Schema only validates the type for expiresIn but doesn't cap the max value so invalid value can bubble as 500 while signing.

What is the new behavior?

Cap the value by safe range and bubble it as 400 invalid parameter

@ferhatelmas ferhatelmas requested a review from a team as a code owner April 15, 2026 08:34
Copilot AI review requested due to automatic review settings April 15, 2026 08:34
Copilot AI reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR prevents oversized expiresIn values from causing internal signing failures by bounding/validating the parameter and returning a client-facing 400 error instead of a 500 during JWT signing for signed object URLs.

Changes:

  • Add a maximum constraint for expiresIn in the signed URL and batch signed URL request schemas.
  • Harden JWT signing by validating numeric expirations and converting jose expiration-setting failures into InvalidParameter (400).
  • Add tests to assert oversized expiresIn is rejected for single/batch signed URL routes and for signJWT().

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/internal/auth/jwt.ts Adds MAX bound constant and validates/guards expiration handling in signJWT.
src/http/routes/object/getSignedURL.ts Caps expiresIn in the single signed URL route body schema.
src/http/routes/object/getSignedURLs.ts Caps expiresIn in the batch signed URLs route body schema.
src/test/jwt.test.ts Adds coverage ensuring signJWT() rejects oversized numeric expirations as InvalidParameter.
src/test/object.test.ts Adds route-level coverage ensuring oversized expiresIn is rejected before signing (single + batch).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ferhatelmas ferhatelmas requested a review from Copilot April 15, 2026 08:41
@coveralls
Copy link
Copy Markdown

coveralls commented Apr 15, 2026
edited
Loading

Coverage Report for CI Build 24459457204

Coverage increased (+60.4%) to 82.475%

Details

  • Coverage increased (+60.4%) from the base build.
  • Patch coverage: 2 uncovered changes across 1 file (49 of 51 lines covered, 96.08%).
  • No coverage regressions found.

Uncovered Changes

File Changed Covered %
src/internal/auth/jwt.ts 37 35 94.59%

Coverage Regressions

No coverage regressions found.

Coverage Stats

Coverage Status
Relevant Lines: 33991
Covered Lines: 30504
Line Coverage: 89.74%
Relevant Branches: 7463
Covered Branches: 3685
Branch Coverage: 49.38%
Branches in Coverage %: Yes
Coverage Strength: 348.96 hits per line
💛 - Coveralls

Copilot AI reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ferhatelmas ferhatelmas requested a review from Copilot April 15, 2026 09:39
Copilot AI reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ferhatelmas ferhatelmas force-pushed the ferhat/cap-expires branch 2 times, most recently from 4dc4b68 to c9e55f2 Compare April 15, 2026 09:59
@ferhatelmas
fix: cap expires in and return bad request
21b13ea 
Signed-off-by: ferhat elmas <elmas.ferhat@gmail.com>
@ferhatelmas ferhatelmas merged commit 2e9e383 into master Apr 15, 2026
9 checks passed
@ferhatelmas ferhatelmas deleted the ferhat/cap-expires branch April 15, 2026 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@itslenny itslenny itslenny approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ferhatelmas @coveralls @itslenny