uat→main (PROD): GRO-2294 Route Optimization security hardening (frozen @2566fb8) (#197)

feat(security): GRO-2294 Route Optimization security hardening [squash] Co-authored-by: Flea Flicker <22+gb_flea@noreply.git.farh.net> Co-committed-by: Flea Flicker <22+gb_flea@noreply.git.farh.net>
2026-06-09 07:38:02 +00:00
parent e9ad92de01
commit 2b92c2ab6c
5 changed files with 206 additions and 4 deletions
@@ -12,6 +12,12 @@ import {

 export const clientsRouter = new Hono<AppEnv>();

+// Batch-geocode bounds (GRO-2294): default 50, hard cap 500. The cap bounds how
+// long one synchronous request stays open and the per-request external API cost
+// when routeOptimizationProvider = "google".
+const GEOCODE_BATCH_DEFAULT_LIMIT = 50;
+const GEOCODE_BATCH_MAX_LIMIT = 500;
+
 type ClientRow = typeof clients.$inferSelect;

 /**
@@ -185,12 +191,15 @@ clientsRouter.post("/:clientId/geocode", async (c) => {
 clientsRouter.post("/geocode-batch", async (c) => {
  const db = getDb();
  const limitRaw = c.req.query("limit");
-  let limit = 50;
+  let limit = GEOCODE_BATCH_DEFAULT_LIMIT;
  if (limitRaw !== undefined) {
    limit = Number(limitRaw);
    if (!Number.isFinite(limit) || limit <= 0) {
      return c.json({ error: "limit must be a positive integer" }, 400);
    }
+    // Clamp to the documented maximum to bound synchronous request duration
+    // and (for the Google provider) per-request external API cost.
+    limit = Math.min(Math.floor(limit), GEOCODE_BATCH_MAX_LIMIT);
  }
  const summary = await geocodeUngeocodedClients(db, limit);
  return c.json(summary);