[CR] Limit loginRequestToken length; extract X-Lakefs-Mailbox header

Author: arielshaqed

api/swagger.yml

@@ -3286,12 +3286,13 @@ paths:
   /auth/get-token/release-token/{loginRequestToken}:
     parameters:
       - in: path
-        # The mailbox is secret.  It is identified by the loginRequestToken
-        # - a JWT which is _not_ secret.  So it can safely go in the header.
+        # The mailbox is secret.  It is identified by the loginRequestToken - a JWT which is
+        # _not_ secret.  So this JWT can safely go in a header.
         name: loginRequestToken
         required: true
         schema:
           type: string
+          maxLength: 1024
         description: login request token returned by getTokenRedirect.
     get:                        # Called by opening a URL on the browser!
       tags:

clients/java/api/openapi.yaml

@@ -11,6 +11,7 @@ import (
 	"github.com/skratchdot/open-golang/open"
 	"github.com/spf13/cobra"
 	"github.com/treeverse/lakefs/pkg/api/apigen"
+	"github.com/treeverse/lakefs/pkg/httputil"
 )
 
 const (
@@ -58,7 +59,7 @@ var loginCmd = &cobra.Command{
 		if err != nil {
 			DieErr(fmt.Errorf("parse relative redirect URL %s: %w", header.Get("location"), err))
 		}
-		mailbox := header.Get("x-lakefs-mailbox")
+		mailbox := header.Get(httputil.LoginMailboxHeaderName)
 
 		redirectURL := serverURL.ResolveReference(relativeLocation)
 

clients/python/lakefs_sdk/api/auth_api.py

@@ -884,7 +884,7 @@ func (c *Controller) GetTokenRedirect(w http.ResponseWriter, r *http.Request) {
 	}
 
 	w.Header().Set("Location", redirect.RedirectURL)
-	w.Header().Set("X-LakeFS-Mailbox", redirect.Mailbox)
+	w.Header().Set(httputil.LoginMailboxHeaderName, redirect.Mailbox)
 
 	writeResponse(w, r, http.StatusOK, nil)
 }

clients/python/lakefs_sdk/api/experimental_api.py

@@ -1,5 +1,6 @@
 package httputil
 
 const (
-	RequestIDHeaderName = "X-Request-ID"
+	RequestIDHeaderName    = "X-Request-ID"
+	LoginMailboxHeaderName = "X-LakeFS-Mailbox"
 )