fraiseql-server 2.2.0

HTTP server for FraiseQL v2 GraphQL engine
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

//! HTTP header count and size limit middleware.
//!
//! Rejects requests that exceed configured header count or total header byte
//! limits, preventing header-flooding `DoS` attacks that exhaust memory.

use axum::{
    body::Body,
    extract::Request,
    http::StatusCode,
    middleware::Next,
    response::{IntoResponse, Response},
};
use tracing::warn;

/// Middleware that enforces header count and total header byte size limits.
///
/// Returns 431 Request Header Fields Too Large when either limit is exceeded.
pub async fn header_limits_middleware(
    request: Request<Body>,
    next: Next,
    max_header_count: usize,
    max_header_bytes: usize,
) -> Response {
    let headers = request.headers();
    let header_count = headers.len();

    if header_count > max_header_count {
        warn!(header_count, max_header_count, "Request rejected: too many headers");
        return (StatusCode::REQUEST_HEADER_FIELDS_TOO_LARGE, "Too many request headers")
            .into_response();
    }

    let total_bytes: usize =
        headers.iter().map(|(name, value)| name.as_str().len() + value.len()).sum();

    if total_bytes > max_header_bytes {
        warn!(total_bytes, max_header_bytes, "Request rejected: headers too large");
        return (StatusCode::REQUEST_HEADER_FIELDS_TOO_LARGE, "Request headers too large")
            .into_response();
    }

    next.run(request).await
}

#[cfg(test)]
mod tests {
    use axum::{Router, body::Body, middleware, routing::get};
    use http::Request;
    use tower::ServiceExt;

    use super::*;

    async fn ok_handler() -> &'static str {
        "ok"
    }

    fn test_app(max_count: usize, max_bytes: usize) -> Router {
        Router::new()
            .route("/", get(ok_handler))
            .layer(middleware::from_fn(move |req, next| {
                header_limits_middleware(req, next, max_count, max_bytes)
            }))
    }

    #[tokio::test]
    async fn accepts_request_within_limits() {
        let app = test_app(10, 4096);
        let req = Request::builder()
            .uri("/")
            .header("x-test", "value")
            .body(Body::empty())
            .expect("Reason: test request builder should not fail");

        let resp = app.oneshot(req).await.expect("Reason: oneshot should not fail in test");
        assert_eq!(resp.status(), StatusCode::OK);
    }

    #[tokio::test]
    async fn rejects_too_many_headers() {
        let app = test_app(3, 65_536);
        let mut builder = Request::builder().uri("/");
        for i in 0..10 {
            builder = builder.header(format!("x-test-{i}"), "value");
        }
        let req = builder
            .body(Body::empty())
            .expect("Reason: test request builder should not fail");

        let resp = app.oneshot(req).await.expect("Reason: oneshot should not fail in test");
        assert_eq!(resp.status(), StatusCode::REQUEST_HEADER_FIELDS_TOO_LARGE);
    }

    #[tokio::test]
    async fn rejects_headers_too_large() {
        let app = test_app(100, 64); // 64-byte total limit
        let req = Request::builder()
            .uri("/")
            .header("x-large", "a]".repeat(100))
            .body(Body::empty())
            .expect("Reason: test request builder should not fail");

        let resp = app.oneshot(req).await.expect("Reason: oneshot should not fail in test");
        assert_eq!(resp.status(), StatusCode::REQUEST_HEADER_FIELDS_TOO_LARGE);
    }

    #[tokio::test]
    async fn accepts_at_exact_count_limit() {
        let app = test_app(5, 65_536);
        let mut builder = Request::builder().uri("/");
        // Add exactly 5 custom headers (host may be added automatically)
        for i in 0..5 {
            builder = builder.header(format!("x-h-{i}"), "v");
        }
        let req = builder
            .body(Body::empty())
            .expect("Reason: test request builder should not fail");

        let resp = app.oneshot(req).await.expect("Reason: oneshot should not fail in test");
        // With 5 custom headers, total is 5 which is at limit — should pass
        assert_eq!(resp.status(), StatusCode::OK);
    }
}