fix(FTL-17164): limit message deletion to 100 per request and limit l…

…ist to 100 (#62)
affinidi · Oct 10, 2024 · b1653ca · b1653ca
1 parent 0777430
commit b1653ca
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 3 deletions.
diff --git a/affinidi-messaging-mediator/src/database/list.rs b/affinidi-messaging-mediator/src/database/list.rs
@@ -7,6 +7,8 @@ use crate::common::errors::MediatorError;
 
 use super::DatabaseHandler;
 
+const MAX_MESSAGES_LIMIT: usize = 100;
+
 impl DatabaseHandler {
     /// Retrieves list of messages for the specified DID and folder
     /// The folder can be either Inbox or Outbox
@@ -43,6 +45,8 @@ impl DatabaseHandler {
                 .arg(&key)
                 .arg(start)
                 .arg(end)
+                .arg("COUNT")
+                .arg(MAX_MESSAGES_LIMIT)
                 .query_async(&mut conn)
                 .await
                 .map_err(|err| {

diff --git a/affinidi-messaging-mediator/src/handlers/message_delete.rs b/affinidi-messaging-mediator/src/handlers/message_delete.rs
@@ -8,10 +8,10 @@ use serde::{Deserialize, Serialize};
 use tracing::{debug, span, warn, Instrument, Level};
 
 use crate::{
-    common::errors::{AppError, Session, SuccessResponse},
+    common::errors::{AppError, MediatorError, Session, SuccessResponse},
     SharedData,
 };
-
+const MAX_MESSAGES_TO_DELETE_LIMIT: usize = 100;
 #[derive(Serialize, Deserialize, Debug, Default, Clone)]
 pub struct ResponseData {
     pub body: String,
@@ -34,6 +34,16 @@ pub async fn message_delete_handler(
     );
     async move {
         debug!("Deleting ({}) messages", body.message_ids.len());
+        if body.message_ids.len() > MAX_MESSAGES_TO_DELETE_LIMIT {
+            return Err(MediatorError::RequestDataError(
+                session.session_id.clone(),
+                format!(
+                    "Operation exceeds the allowed limit. You may delete a maximum of 100 messages per request. Received {} ids.",
+                    body.message_ids.len()
+                ),
+            )
+            .into());
+        }
         let mut deleted: DeleteMessageResponse = DeleteMessageResponse::default();
 
         for message in &body.message_ids {

diff --git a/affinidi-messaging-sdk/src/messages/delete.rs b/affinidi-messaging-sdk/src/messages/delete.rs
@@ -4,6 +4,8 @@ use crate::{errors::ATMError, messages::SuccessResponse, ATM};
 
 use super::{DeleteMessageRequest, DeleteMessageResponse};
 
+const MAX_MESSAGES_TO_DELETE_LIMIT: usize = 100;
+
 impl<'c> ATM<'c> {
     /// Delete messages from ATM
     /// - messages: List of message_ids to delete
@@ -15,7 +17,12 @@ impl<'c> ATM<'c> {
 
         // Check if authenticated
         let tokens = self.authenticate().await?;
-
+        if messages.message_ids.len() > MAX_MESSAGES_TO_DELETE_LIMIT {
+            return  Err(ATMError::MsgSendError(format!(
+                "Operation exceeds the allowed limit. You may delete a maximum of 100 messages per request. Received {} ids.",
+                messages.message_ids.len()
+            )));
+        }
         let msg = serde_json::to_string(messages).map_err(|e| {
             ATMError::TransportError(format!(
                 "Could not serialize delete message request: {:?}",