From b1f754831a083f092990d05997a34594b5ca6d8b Mon Sep 17 00:00:00 2001
From: Ryan Hamamura <58859899+ryanhamamura@users.noreply.github.com>
Date: Wed, 11 Mar 2026 10:19:03 -1000
Subject: [PATCH] fix: limit request body size on auth form handlers (gosec
 G120)

---
 features/auth/handlers.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/features/auth/handlers.go b/features/auth/handlers.go
index 8a581a3..1c3bea0 100644
--- a/features/auth/handlers.go
+++ b/features/auth/handlers.go
@@ -39,6 +39,7 @@ func HandleRegisterPage() http.HandlerFunc {
 
 func HandleLogin(queries *repository.Queries, sessions *scs.SessionManager) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		r.Body = http.MaxBytesReader(w, r.Body, 1024)
 		username := r.FormValue("username")
 		password := r.FormValue("password")
 
@@ -73,6 +74,7 @@ func HandleLogin(queries *repository.Queries, sessions *scs.SessionManager) http
 
 func HandleRegister(queries *repository.Queries, sessions *scs.SessionManager) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		r.Body = http.MaxBytesReader(w, r.Body, 1024)
 		username := r.FormValue("username")
 		password := r.FormValue("password")
 		confirm := r.FormValue("confirm")