Add request body size limits to plugin HTTP endpoints

[nevyangelova]

Summary

• Enforce a maximum request body size on all plugin HTTP endpoints to improve input handling consistency

Ticket

https://mattermost.atlassian.net/browse/MM-68164

Change Impact: 🟡 Medium

Reasoning: The PR enforces a global 1 MB request body size limit for all plugin HTTP endpoints via http.MaxBytesReader in the central ServeHTTP handler—an isolated, focused change but one that introduces a new behavioral constraint across multiple endpoints which may break legitimate larger payloads.

Regression Risk: Medium. The change uniformly affects all plugin endpoints (including webhook, OAuth flows, deauthorization, and API routes) where previously only some handlers had explicit limits; tests were added/updated but response status behavior can vary (400 vs 413), and callers relying on larger request bodies or specific status codes may be impacted.

QA Recommendation: Perform manual and automated tests sending payloads around the 1 MB boundary (e.g., ~900 KB, 1 MB, 1.1 MB) against all public endpoints—prioritize /webhook, /deauthorization, /oauth2/complete, and /api/v1/*—and verify consistent error responses and client compatibility. Skip manual QA only if telemetry confirms all requests are well below 1 MB and clients tolerate 400/413 responses.

Generated by CodeRabbitAI

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 2a427f71-2574-41c4-a85a-6776d1ebd01c

📥 Commits

Reviewing files that changed from the base of the PR and between 0a08a97 and 996fc45.

📒 Files selected for processing (1)

• server/webhook.go

✅ Files skipped from review due to trivial changes (1)

• server/webhook.go

---

📝 Walkthrough

Walkthrough

Global request body size limit (1 MB) added and applied via http.MaxBytesReader in the HTTP entrypoint; webhook handlers updated to use the shared limit; tests adjusted and a new deauthorization oversized-body test added.

Changes

Cohort / File(s)	Summary
HTTP entrypoint server/http.go	Added maxRequestBodySize = 1 << 20 (1 MB) and wrapped r.Body with http.MaxBytesReader(w, r.Body, maxRequestBodySize) in (*Plugin).ServeHTTP.
Webhook handling server/webhook.go	Replaced maxWebhookBodySize usage with the shared maxRequestBodySize for webhook body reads/validation; maxDownloadSize unchanged.
Tests server/webhook_test.go	Updated TestWebhookBodyTooLarge to use maxRequestBodySize and accept 400 or 413; added TestDeauthorizationBodyTooLarge to assert oversized POST to /deauthorization returns 400 or 413 and ensures response body closure; stubs license retrieval in new test.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nibble bytes beneath the moon,

One meg cap hums a steady tune,
Webhooks shrink to proper size,
Deauths too — no bloated surprise,
Hooray, small packets, hop and prune!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding request body size limits to plugin HTTP endpoints, which is reflected across all modified files (http.go, webhook.go, webhook_test.go).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch MM-68163-request-body-limits

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

server/http.go (1)

85-85: Stabilize the over-limit response instead of relying on MaxBytesReader side effects.

The new tests already had to allow both 400 and 413, which means the final status now depends on the concrete ResponseWriter and each handler's generic decode/read error path. If this limit is part of the HTTP contract, catch *http.MaxBytesError explicitly in the body-reading handlers and return one consistent status (ideally 413) everywhere.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/http.go` at line 85, The current use of r.Body =
http.MaxBytesReader(w, r.Body, maxRequestBodySize) relies on MaxBytesReader side
effects; update all request body-reading/decoding functions (the handlers or
helper(s) that call r.Body.Read/Decode after setting MaxBytesReader) to
explicitly detect a *http.MaxBytesError when reading/parsing the body and return
a consistent 413 response (instead of letting generic decode errors produce
400). Concretely, after reading/decoding (e.g., in your JSON/body decode
helper), check errors.Is(err, http.ErrBodyReadAfterClose) or type-assert err to
*http.MaxBytesError and if matched call http.Error(w, "request body too large",
http.StatusRequestEntityTooLarge) /
w.WriteHeader(http.StatusRequestEntityTooLarge), otherwise proceed with existing
error handling.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@server/http.go`:
- Line 85: The current use of r.Body = http.MaxBytesReader(w, r.Body,
maxRequestBodySize) relies on MaxBytesReader side effects; update all request
body-reading/decoding functions (the handlers or helper(s) that call
r.Body.Read/Decode after setting MaxBytesReader) to explicitly detect a
*http.MaxBytesError when reading/parsing the body and return a consistent 413
response (instead of letting generic decode errors produce 400). Concretely,
after reading/decoding (e.g., in your JSON/body decode helper), check
errors.Is(err, http.ErrBodyReadAfterClose) or type-assert err to
*http.MaxBytesError and if matched call http.Error(w, "request body too large",
http.StatusRequestEntityTooLarge) /
w.WriteHeader(http.StatusRequestEntityTooLarge), otherwise proceed with existing
error handling.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 5a75d59f-c8e9-4da7-bfa4-fe77cab081a1

📥 Commits

Reviewing files that changed from the base of the PR and between a2b6838 and 0a08a97.

📒 Files selected for processing (2)

• server/http.go
• server/webhook_test.go

[avasconcelos114]

Changes look good! Just have one (non-blocking) comment about closing a small gap

[avasconcelos114]

I see that the webhook payload test has been updated to reference maxRequestBodySize instead of maxWebhookBodySize, so we might want to remove maxWebhookBodySize from webhook.go entirely to solely use this new constant in https://github.com/mattermost/mattermost-plugin-zoom/pull/446/changes#diff-e3302fa7fe65284d10a8f46bad75c6e182a9b39a0400fb09f888d0dde5a79bf9R42

[edgarbellot]

+1 to this, the rest looks good to me :)

[edgarbellot]

@nevyangelova LGTM, thank you!