Merge pull request #131 from cloudflare/sven/MOW-113

MOW-113: limit status attachements

backend/src/errors/index.ts

@@ -41,3 +41,7 @@ export function internalServerError(): Response {
 export function statusNotFound(): Response {
 	return generateErrorResponse('Status not found', 404)
 }
+
+export function exceededLimit(detail: string): Response {
+	return generateErrorResponse('Limit exceeded', 400, detail)
+}

backend/test/mastodon/statuses.spec.ts

@@ -608,5 +608,25 @@ describe('Mastodon APIs', () => {
 				assert.equal(row.in_reply_to_object_id, note.id.toString())
 			}
 		})
+
+		test('create new status with too many image', async () => {
+			const db = await makeDB()
+			const queue = makeQueue()
+			const actor = await createPerson(domain, db, userKEK, 'sven@cloudflare.com')
+
+			const body = {
+				status: 'my status',
+				media_ids: ['id', 'id', 'id', 'id', 'id'],
+				visibility: 'public',
+			}
+			const req = new Request('https://example.com', {
+				method: 'POST',
+				headers: { 'content-type': 'application/json' },
+				body: JSON.stringify(body),
+			})
+
+			const res = await statuses.handleRequest(req, db, actor, userKEK, queue, kv_cache)
+			assert.equal(res.status, 400)
+		})
 	})
 })

functions/api/v1/statuses.ts

@@ -59,6 +59,10 @@ export async function handleRequest(
 
 	const mediaAttachments: Array<Document> = []
 	if (body.media_ids && body.media_ids.length > 0) {
+		if (body.media_ids.length > 4) {
+			return errors.exceededLimit('up to 4 images are allowed')
+		}
+
 		for (let i = 0, len = body.media_ids.length; i < len; i++) {
 			const id = body.media_ids[i]
 			const document = await getObjectByMastodonId(db, id)