GRO-2294: Route Optimization security hardening (geocode-batch limit cap + redact settings secret) (#193)

2026-06-09 06:17:42 +00:00
parent cd2f60e282
commit fe412933ea
7 changed files with 219 additions and 4 deletions
@@ -12,6 +12,12 @@ import {

 export const clientsRouter = new Hono<AppEnv>();

+// Batch-geocode bounds (GRO-2294): default 50, hard cap 500. The cap bounds how
+// long one synchronous request stays open and the per-request external API cost
+// when routeOptimizationProvider = "google".
+const GEOCODE_BATCH_DEFAULT_LIMIT = 50;
+const GEOCODE_BATCH_MAX_LIMIT = 500;
+
 type ClientRow = typeof clients.$inferSelect;

 /**
@@ -185,12 +191,15 @@ clientsRouter.post("/:clientId/geocode", async (c) => {
 clientsRouter.post("/geocode-batch", async (c) => {
  const db = getDb();
  const limitRaw = c.req.query("limit");
-  let limit = 50;
+  let limit = GEOCODE_BATCH_DEFAULT_LIMIT;
  if (limitRaw !== undefined) {
    limit = Number(limitRaw);
    if (!Number.isFinite(limit) || limit <= 0) {
      return c.json({ error: "limit must be a positive integer" }, 400);
    }
+    // Clamp to the documented maximum to bound synchronous request duration
+    // and (for the Google provider) per-request external API cost.
+    limit = Math.min(Math.floor(limit), GEOCODE_BATCH_MAX_LIMIT);
  }
  const summary = await geocodeUngeocodedClients(db, limit);
  return c.json(summary);