Add request body limits, per-endpoint timeouts, and rate limiting

[haasonsaas]

Summary

The HTTP layer accepts requests of any size with no timeout and no rate limiting. This is a DoS surface.

Current state

• internal/api/httpapi/server.go — no http.MaxBytesReader on request bodies
• cmd/asb-api/main.go — no http.Server.ReadTimeout / WriteTimeout / IdleTimeout
• No rate limiting per tenant, per session, or per IP
• No CORS headers (relevant if a browser extension or frontend hits the API directly)

Required work

• Add http.MaxBytesReader to all handlers — 1MB default, configurable
• Set server timeouts: ReadTimeout (10s), WriteTimeout (30s), IdleTimeout (120s) — configurable
• Add per-endpoint timeout context: grant requests and proxy execution may need longer than session creation
• Implement rate limiting middleware:
  • Per-tenant token bucket for grant requests
  • Per-handle rate limit for proxy execution (in addition to budget)
  • Global rate limit as a safety valve
• Add CORS middleware if browser-origin requests are expected
• Validate Content-Type: application/json on all JSON endpoints

Files

• cmd/asb-api/main.go — server timeouts
• internal/api/httpapi/server.go — body limits, content-type validation, rate limiting middleware

Priority

Medium — important for any internet-exposed deployment.

🤖 Generated with Claude Code