fix: add max_length constraint to refresh token schema

[seapagan]

What

Add max_length constraint to the refresh token field in
TokenRefreshRequest schema, using MAX_JWT_TOKEN_LENGTH constant.

Why

Provides defense-in-depth validation, with Pydantic catching oversized
tokens at the schema level (422) before business logic (401).

Changes

• Import and use MAX_JWT_TOKEN_LENGTH constant instead of hardcoding
• Update unit test to expect ValidationError for oversized tokens
• Remove oversized tokens from integration JWT format validation tests
• Remove unused MAX_JWT_TOKEN_LENGTH import from integration tests

References

• SECURITY-REVIEW.md #31

Summary by CodeRabbit

• Security

  • Implemented maximum length validation for refresh tokens to strengthen authentication security and protect against oversized token vulnerabilities.

• Changes

  • Updated token validation to detect malformed refresh tokens earlier in the authentication process, improving error handling and system resilience.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes implement schema-level validation for JWT refresh tokens by adding a max_length constraint aligned with MAX_JWT_TOKEN_LENGTH. This shifts oversized token rejection from runtime JWT validation to earlier schema validation, establishing defence-in-depth at the request boundary.

Changes

Cohort / File(s)	Summary
Schema Validation Enhancement app/schemas/request/auth.py	Added MAX_JWT_TOKEN_LENGTH import and updated TokenRefreshRequest.refresh field with Field(..., max_length=MAX_JWT_TOKEN_LENGTH, description="JWT refresh token") constraint for schema-level token size validation.
Integration Test Updates tests/integration/test_auth_routes.py	Removed MAX_JWT_TOKEN_LENGTH import; updated test_verify_malformed_jwt_tokens and test_refresh_malformed_jwt_tokens to reflect that oversized tokens are now rejected at schema validation (422) level instead of JWT format validation (401), with oversized test cases removed from malformed token lists.
Unit Test Updates tests/unit/test_auth_manager.py	Added ValidationError import; updated test_refresh_oversized_token to expect ValidationError during schema construction rather than during AuthManager.refresh, with assertion changed to verify "string_too_long" error message.
Documentation SECURITY-REVIEW.md	Updated documentation describing schema-level max_length constraint addition and validation flow changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Security: fix timing attacks and token validation vulnerabilities #810: Adds manager-level early token-format and size validation; this PR complements it by adding schema-level validation for oversized JWT refresh tokens using MAX_JWT_TOKEN_LENGTH.

Suggested labels

security

Poem

🐰 A token walks up to the gate,
But the schema says "You're too great!"
No more runtime sighs,
Validation's now wise,
Defence-in-depth makes security straight! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a max_length constraint to the refresh token schema field in the TokenRefreshRequest class.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ +0.00% (target: -1.00%)	✅ 100.00%

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (9fc3bb2)	2440	2440	100.00%
Head commit (6edae7d)	2441 (+1)	2441 (+1)	100.00% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#818)	2	2	100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences