fix: add max_length constraint to refresh token schema

Add `max_length=1024` constraint to the refresh token field in
TokenRefreshRequest schema, matching MAX_JWT_TOKEN_LENGTH.

This provides defense-in-depth validation, with Pydantic catching
oversized tokens at the schema level (422) before business logic
(401).

Also updates tests to reflect this behavior change:
- Unit test now expects ValidationError for oversized tokens
- Integration tests no longer test oversized tokens (handled by schema)

Author: seapagan

app/schemas/request/auth.py

@@ -6,7 +6,11 @@
 class TokenRefreshRequest(BaseModel):
     """Request schema for refreshing a JWT token."""
 
-    refresh: str
+    refresh: str = Field(
+        ...,
+        max_length=1024,
+        description="JWT refresh token",
+    )
 
 
 class ForgotPasswordRequest(BaseModel):

tests/integration/test_auth_routes.py

@@ -9,7 +9,6 @@
 
 from app.database.helpers import hash_password, verify_password
 from app.managers.auth import AuthManager
-from app.managers.helpers import MAX_JWT_TOKEN_LENGTH
 from app.managers.user import ErrorMessages as UserErrorMessages
 from app.models.enums import RoleType
 from app.models.user import User
@@ -456,12 +455,13 @@ async def test_verify_malformed_jwt_tokens(
         await test_db.commit()
 
         # Test various malformed JWT formats
+        # Note: Oversized tokens are now rejected at schema validation (422)
+        # rather than JWT format validation (401), so they're tested separately
         malformed_tokens = [
             "not.valid!.jwt",  # Special character
             "only.two",  # Only 2 parts
             "four.dot.separated.parts",  # 4 parts
             "part1.part2&admin=true.part3",  # URL injection attempt
-            "a" * (MAX_JWT_TOKEN_LENGTH + 1) + ".b.c",  # Exceeds max length
             ".part2.part3",  # Empty first part
             "part1..part3",  # Empty middle part
             "part1.part2.",  # Empty last part
@@ -482,12 +482,13 @@ async def test_refresh_malformed_jwt_tokens(
         await test_db.commit()
 
         # Test various malformed JWT formats
+        # Note: Oversized tokens are now rejected at schema validation (422)
+        # rather than JWT format validation (401), so they're tested separately
         malformed_tokens = [
             "not.valid!.jwt",  # Special character
             "only.two",  # Only 2 parts
             "four.dot.separated.parts",  # 4 parts
             "part1.part2&admin=true.part3",  # URL injection attempt
-            "a" * (MAX_JWT_TOKEN_LENGTH + 1) + ".b.c",  # Exceeds max length
             ".part2.part3",  # Empty first part
             "part1..part3",  # Empty middle part
             "part1.part2.",  # Empty last part

tests/unit/test_auth_manager.py

@@ -5,6 +5,7 @@
 import jwt
 import pytest
 from fastapi import BackgroundTasks, HTTPException, status
+from pydantic import ValidationError
 
 from app.config.settings import get_settings
 from app.database.helpers import verify_password
@@ -582,12 +583,11 @@ async def test_refresh_oversized_token(self, test_db) -> None:
         """Test refresh rejects tokens exceeding max length."""
         # Create a token longer than MAX_JWT_TOKEN_LENGTH
         oversized_token = "a" * (MAX_JWT_TOKEN_LENGTH + 1) + ".b.c"
-        with pytest.raises(HTTPException) as exc_info:
-            await AuthManager.refresh(
-                TokenRefreshRequest(refresh=oversized_token), test_db
-            )
-        assert exc_info.value.status_code == status.HTTP_401_UNAUTHORIZED
-        assert exc_info.value.detail == ResponseMessages.INVALID_TOKEN
+        # Schema validation now catches this before business logic
+        with pytest.raises(ValidationError) as exc_info:
+            TokenRefreshRequest(refresh=oversized_token)
+        # Verify it's a string_too_long error
+        assert "string_too_long" in str(exc_info.value).lower()
 
     @pytest.mark.asyncio
     async def test_refresh_url_injection_attempt(self, test_db) -> None: