Skip to content

Resolves issue #1669, Limits CVE-API-USER header length before authentication logging.#1896

Merged
jdaigneau5 merged 2 commits into
devfrom
dr_1869
Jun 30, 2026
Merged

Resolves issue #1669, Limits CVE-API-USER header length before authentication logging.#1896
jdaigneau5 merged 2 commits into
devfrom
dr_1869

Conversation

@david-rocca

Copy link
Copy Markdown
Collaborator

Closes Issue #1869

Summary

Rejects overlong CVE-API-USER auth headers before request context creation can pass them into authentication logs.

Important Changes

src/constants/index.js

  • Added MAX_USERNAME_LENGTH set to 128.

src/middleware/middleware.js

  • Validates CVE-API-USER length in createCtxAndReqUUID.
  • Returns 400 BAD_REQUEST without echoing the submitted username when the header exceeds 128 characters.

test/integration-tests/middleware/authenticatedContextTest.js

  • Added regression coverage for a 129-character CVE-API-USER header.

@david-rocca david-rocca linked an issue Jun 30, 2026 that may be closed by this pull request
@jdaigneau5 jdaigneau5 merged commit cbc1b23 into dev Jun 30, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

createCtxAndReqUUID can place very long strings in req.ctx

2 participants