Merge pull request #818 from seapagan/fix/refresh-token-max-length

fix: add max_length constraint to refresh token schema

Author: seapagan

SECURITY-REVIEW.md

@@ -526,12 +526,17 @@
 
 ### 31. Missing Max Length on Token Refresh Schema
 
+> [!NOTE]
+> ✅ **Done**: Added `max_length=1024` to refresh token field, matching
+> MAX_JWT_TOKEN_LENGTH. This provides defense-in-depth validation with
+> Pydantic catching oversized tokens at schema level. See PR #818.
+
 **Location**: `app/schemas/request/auth.py:6-9`
 
-- **Issue**: Refresh token field has no length validation in schema. While the
-  endpoint validates format (auth.py:174-181), the schema itself has no
+- **Issue**: Refresh token field had no length validation in schema. While the
+  endpoint validated format (auth.py:174-181), the schema itself had no
   constraints.
-- **Fix**: Add `max_length` and `min_length` to schema for defense in depth.
+- **Fix**: Add `max_length` to schema for defense in depth.
 
 ### 32. Bcrypt Work Factor Not Configurable
 

app/schemas/request/auth.py

@@ -2,11 +2,17 @@
 
 from pydantic import BaseModel, EmailStr, Field
 
+from app.managers.helpers import MAX_JWT_TOKEN_LENGTH
+
 
 class TokenRefreshRequest(BaseModel):
     """Request schema for refreshing a JWT token."""
 
-    refresh: str
+    refresh: str = Field(
+        ...,
+        max_length=MAX_JWT_TOKEN_LENGTH,
+        description="JWT refresh token",
+    )
 
 
 class ForgotPasswordRequest(BaseModel):

tests/integration/test_auth_routes.py

@@ -9,7 +9,6 @@
 
 from app.database.helpers import hash_password, verify_password
 from app.managers.auth import AuthManager
-from app.managers.helpers import MAX_JWT_TOKEN_LENGTH
 from app.managers.user import ErrorMessages as UserErrorMessages
 from app.models.enums import RoleType
 from app.models.user import User
@@ -456,12 +455,13 @@ async def test_verify_malformed_jwt_tokens(
         await test_db.commit()
 
         # Test various malformed JWT formats
+        # Note: Oversized tokens are now rejected at schema validation (422)
+        # rather than JWT format validation (401), so they're tested separately
         malformed_tokens = [
             "not.valid!.jwt",  # Special character
             "only.two",  # Only 2 parts
             "four.dot.separated.parts",  # 4 parts
             "part1.part2&admin=true.part3",  # URL injection attempt
-            "a" * (MAX_JWT_TOKEN_LENGTH + 1) + ".b.c",  # Exceeds max length
             ".part2.part3",  # Empty first part
             "part1..part3",  # Empty middle part
             "part1.part2.",  # Empty last part
@@ -482,12 +482,13 @@ async def test_refresh_malformed_jwt_tokens(
         await test_db.commit()
 
         # Test various malformed JWT formats
+        # Note: Oversized tokens are now rejected at schema validation (422)
+        # rather than JWT format validation (401), so they're tested separately
         malformed_tokens = [
             "not.valid!.jwt",  # Special character
             "only.two",  # Only 2 parts
             "four.dot.separated.parts",  # 4 parts
             "part1.part2&admin=true.part3",  # URL injection attempt
-            "a" * (MAX_JWT_TOKEN_LENGTH + 1) + ".b.c",  # Exceeds max length
             ".part2.part3",  # Empty first part
             "part1..part3",  # Empty middle part
             "part1.part2.",  # Empty last part

tests/unit/test_auth_manager.py

@@ -5,6 +5,7 @@
 import jwt
 import pytest
 from fastapi import BackgroundTasks, HTTPException, status
+from pydantic import ValidationError
 
 from app.config.settings import get_settings
 from app.database.helpers import verify_password
@@ -582,12 +583,11 @@ async def test_refresh_oversized_token(self, test_db) -> None:
         """Test refresh rejects tokens exceeding max length."""
         # Create a token longer than MAX_JWT_TOKEN_LENGTH
         oversized_token = "a" * (MAX_JWT_TOKEN_LENGTH + 1) + ".b.c"
-        with pytest.raises(HTTPException) as exc_info:
-            await AuthManager.refresh(
-                TokenRefreshRequest(refresh=oversized_token), test_db
-            )
-        assert exc_info.value.status_code == status.HTTP_401_UNAUTHORIZED
-        assert exc_info.value.detail == ResponseMessages.INVALID_TOKEN
+        # Schema validation now catches this before business logic
+        with pytest.raises(ValidationError) as exc_info:
+            TokenRefreshRequest(refresh=oversized_token)
+        # Verify it's a string_too_long error
+        assert "string_too_long" in str(exc_info.value).lower()
 
     @pytest.mark.asyncio
     async def test_refresh_url_injection_attempt(self, test_db) -> None: