feat: add comprehensive resource protection to database schemas

- Add resource limits constants to prevent resource exhaustion attacks
- Implement database-level CHECK constraints for large text/JSONB fields
- Add varchar length limits for all text fields across all schemas
- Replace magic numbers with well-documented constants
- Protect against large journal entries, pages, and AI prompts

Resource limits implemented:
- Text chunks: 1MB max
- Block data: 10MB max
- JSONB metadata: 1MB max
- Page children arrays: 10,000 blocks max
- Various varchar fields with appropriate length limits

Addresses: #39

Author: rmolinamir

packages/api/src/api-router/pages.ts

@@ -41,7 +41,6 @@ export const pagesRouter = {
             .insert(Page)
             .values({
               ...input,
-              children: [],
               document_id: document.id,
               user_id: ctx.session.user.id,
             })

packages/db/src/auth/account.schema.ts

@@ -1,4 +1,5 @@
-import { pgTable, text, timestamp } from "drizzle-orm/pg-core";
+import { pgTable, text, timestamp, varchar } from "drizzle-orm/pg-core";
+import { TEXT_LIMITS } from "../constants/resource-limits.js";
 import { user } from "./user.schema.js";
 
 export const account = pgTable("account", {
@@ -13,7 +14,7 @@ export const account = pgTable("account", {
   idToken: text("id_token"),
   accessTokenExpiresAt: timestamp("access_token_expires_at"),
   refreshTokenExpiresAt: timestamp("refresh_token_expires_at"),
-  scope: text("scope"),
+  scope: varchar("scope", { length: TEXT_LIMITS.URL }),
   password: text("password"),
   createdAt: timestamp("created_at").notNull(),
   updatedAt: timestamp("updated_at").notNull(),

packages/db/src/auth/organization.schema.ts

@@ -1,13 +1,14 @@
-import { pgTable, text, timestamp } from "drizzle-orm/pg-core";
+import { pgTable, text, timestamp, varchar } from "drizzle-orm/pg-core";
+import { TEXT_LIMITS } from "../constants/resource-limits.js";
 import { user } from "./user.schema.js";
 
 export const organization = pgTable("organization", {
   id: text("id").primaryKey(),
-  name: text("name").notNull(),
-  slug: text("slug").unique(),
-  logo: text("logo"),
+  name: varchar("name", { length: TEXT_LIMITS.NAME }).notNull(),
+  slug: varchar("slug", { length: TEXT_LIMITS.SLUG }).unique(),
+  logo: varchar("logo", { length: TEXT_LIMITS.URL }),
   createdAt: timestamp("created_at").notNull(),
-  metadata: text("metadata"),
+  metadata: varchar("metadata", { length: TEXT_LIMITS.URL }),
 });
 
 export const member = pgTable("member", {
@@ -18,7 +19,9 @@ export const member = pgTable("member", {
   userId: text("user_id")
     .notNull()
     .references(() => user.id, { onDelete: "cascade" }),
-  role: text("role").default("member").notNull(),
+  role: varchar("role", { length: TEXT_LIMITS.STATUS })
+    .default("member")
+    .notNull(),
   createdAt: timestamp("created_at").notNull(),
 });
 
@@ -27,9 +30,11 @@ export const invitation = pgTable("invitation", {
   organizationId: text("organization_id")
     .notNull()
     .references(() => organization.id, { onDelete: "cascade" }),
-  email: text("email").notNull(),
-  role: text("role"),
-  status: text("status").default("pending").notNull(),
+  email: varchar("email", { length: TEXT_LIMITS.EMAIL }).notNull(),
+  role: varchar("role", { length: TEXT_LIMITS.STATUS }),
+  status: varchar("status", { length: TEXT_LIMITS.STATUS })
+    .default("pending")
+    .notNull(),
   expiresAt: timestamp("expires_at").notNull(),
   inviterId: text("inviter_id")
     .notNull()

packages/db/src/auth/session.schema.ts

@@ -1,4 +1,5 @@
-import { pgTable, text, timestamp } from "drizzle-orm/pg-core";
+import { pgTable, text, timestamp, varchar } from "drizzle-orm/pg-core";
+import { TEXT_LIMITS } from "../constants/resource-limits.js";
 import { user } from "./user.schema.js";
 
 export const session = pgTable("session", {
@@ -7,12 +8,14 @@ export const session = pgTable("session", {
   token: text("token").notNull().unique(),
   createdAt: timestamp("created_at").notNull(),
   updatedAt: timestamp("updated_at").notNull(),
-  ipAddress: text("ip_address"),
-  userAgent: text("user_agent"),
+  ipAddress: varchar("ip_address", { length: TEXT_LIMITS.IP_ADDRESS }),
+  userAgent: varchar("user_agent", { length: TEXT_LIMITS.USER_AGENT }),
   userId: text("user_id")
     .notNull()
     .references(() => user.id, { onDelete: "cascade" }),
-  activeOrganizationId: text("active_organization_id"),
+  activeOrganizationId: varchar("active_organization_id", {
+    length: TEXT_LIMITS.EMAIL,
+  }),
 });
 
 export type Session = typeof session.$inferSelect;

packages/db/src/auth/user.schema.ts

@@ -1,13 +1,20 @@
-import { boolean, pgTable, text, timestamp } from "drizzle-orm/pg-core";
+import {
+  boolean,
+  pgTable,
+  text,
+  timestamp,
+  varchar,
+} from "drizzle-orm/pg-core";
+import { TEXT_LIMITS } from "../constants/resource-limits.js";
 
 export const user = pgTable("user", {
   id: text("id").primaryKey(),
-  name: text("name").notNull(),
-  email: text("email").notNull().unique(),
+  name: varchar("name", { length: TEXT_LIMITS.NAME }).notNull(),
+  email: varchar("email", { length: TEXT_LIMITS.EMAIL }).notNull().unique(),
   emailVerified: boolean("email_verified")
     .$defaultFn(() => false)
     .notNull(),
-  image: text("image"),
+  image: varchar("image", { length: TEXT_LIMITS.URL }),
   createdAt: timestamp("created_at")
     .$defaultFn(() => /* @__PURE__ */ new Date())
     .notNull(),

packages/db/src/auth/verification.schema.ts

@@ -1,8 +1,11 @@
-import { pgTable, text, timestamp } from "drizzle-orm/pg-core";
+import { pgTable, text, timestamp, varchar } from "drizzle-orm/pg-core";
+import { TEXT_LIMITS } from "../constants/resource-limits.js";
 
 export const verification = pgTable("verification", {
   id: text("id").primaryKey(),
-  identifier: text("identifier").notNull(),
+  identifier: varchar("identifier", {
+    length: TEXT_LIMITS.VERIFICATION_ID,
+  }).notNull(),
   value: text("value").notNull(),
   expiresAt: timestamp("expires_at").notNull(),
   createdAt: timestamp("created_at").$defaultFn(

packages/db/src/billing/plan.schema.ts

@@ -6,16 +6,20 @@ import {
   pgTable,
   text,
   timestamp,
+  varchar,
 } from "drizzle-orm/pg-core";
+import { TEXT_LIMITS } from "../constants/resource-limits.js";
 import { Price } from "./price.schema.js";
 
 export const Plan = pgTable(
   "plan",
   {
     id: text("id").primaryKey(),
-    name: text("name").notNull().unique(),
-    displayName: text("display_name").notNull(),
-    description: text("description"),
+    name: varchar("name", { length: TEXT_LIMITS.PLAN_NAME }).notNull().unique(),
+    displayName: varchar("display_name", {
+      length: TEXT_LIMITS.PLAN_NAME,
+    }).notNull(),
+    description: varchar("description", { length: TEXT_LIMITS.DESCRIPTION }),
     active: boolean("active").default(true).notNull(),
     quota: integer("quota").notNull(),
     created_at: timestamp("created_at")

packages/db/src/billing/price.schema.ts

@@ -7,7 +7,9 @@ import {
   text,
   timestamp,
   unique,
+  varchar,
 } from "drizzle-orm/pg-core";
+import { TEXT_LIMITS } from "../constants/resource-limits.js";
 import { Plan } from "./plan.schema.js";
 
 export const Price = pgTable(
@@ -18,16 +20,19 @@ export const Price = pgTable(
       .notNull()
       .unique()
       .references(() => Plan.id),
-    nickname: text("nickname"),
-    currency: text("currency").notNull(),
+    nickname: varchar("nickname", { length: TEXT_LIMITS.PLAN_NAME }),
+    currency: varchar("currency", { length: TEXT_LIMITS.CURRENCY }).notNull(),
     unitAmount: integer("unit_amount").notNull(),
     recurring: jsonb("recurring").notNull().$type<{
       interval: "day" | "week" | "month" | "year";
       intervalCount: number;
     }>(),
-    type: text("type", { enum: ["one_time", "recurring"] }).notNull(),
+    type: varchar("type", {
+      length: 20,
+      enum: ["one_time", "recurring"],
+    }).notNull(),
     active: boolean("active").default(true).notNull(),
-    lookupKey: text("lookup_key"),
+    lookupKey: varchar("lookup_key", { length: TEXT_LIMITS.LOOKUP_KEY }),
     createdAt: timestamp("created_at")
       .$defaultFn(() => /* @__PURE__ */ new Date())
       .notNull(),

packages/db/src/billing/subscription.schema.ts

@@ -6,7 +6,9 @@ import {
   pgTable,
   text,
   timestamp,
+  varchar,
 } from "drizzle-orm/pg-core";
+import { TEXT_LIMITS } from "../constants/resource-limits.js";
 import { user } from "../schema.js";
 import { Plan } from "./plan.schema.js";
 
@@ -18,10 +20,16 @@ export const Subscription = pgTable(
       onDelete: "cascade",
     }),
     planName: text("plan_name").references(() => Plan.name),
-    stripeCustomerId: text("stripe_customer_id"),
-    stripeSubscriptionId: text("stripe_subscription_id"),
+    stripeCustomerId: varchar("stripe_customer_id", {
+      length: TEXT_LIMITS.STRIPE_ID,
+    }),
+    stripeSubscriptionId: varchar("stripe_subscription_id", {
+      length: TEXT_LIMITS.STRIPE_ID,
+    }),
     seats: integer("seats"),
-    status: text("status").default("incomplete"),
+    status: varchar("status", { length: TEXT_LIMITS.STATUS }).default(
+      "incomplete",
+    ),
     periodStart: timestamp("period_start"),
     periodEnd: timestamp("period_end"),
     trialStart: timestamp("trial_start"),

packages/db/src/constants/resource-limits.ts

@@ -0,0 +1,52 @@
+/**
+ * Resource protection limits for database fields
+ * These constants define maximum sizes to prevent resource exhaustion attacks
+ */
+
+/* Text content limits (in characters) */
+export const JSONB_LIMITS = {
+  /** Maximum size for block data (10MB) */
+  BLOCK_DATA: 10485760,
+  /** Maximum size for text chunks (1MB) */
+  CHUNK_TEXT: 1048576,
+  /** Maximum size for JSONB metadata (1MB) */
+  EMBEDDING_TASK_METADATA: 1048576,
+} as const;
+
+/* String length limits (for varchar fields) */
+export const TEXT_LIMITS = {
+  /** Currency codes */
+  CURRENCY: 10,
+  /** Plan descriptions */
+  DESCRIPTION: 1000,
+  /** Standard email length */
+  EMAIL: 255,
+  /** IP addresses (IPv6 max) */
+  IP_ADDRESS: 45,
+  /** Lookup keys */
+  LOOKUP_KEY: 255,
+  /** Model identifiers */
+  MODEL_ID: 255,
+  /** Model providers */
+  MODEL_PROVIDER: 100,
+  /** User names and titles */
+  NAME: 100,
+  /** Page titles */
+  PAGE_TITLE: 500,
+  /** Plan and price names */
+  PLAN_NAME: 100,
+  /** Organization slugs */
+  SLUG: 50,
+  /** Status and role fields */
+  STATUS: 50,
+  /** Stripe identifiers */
+  STRIPE_ID: 255,
+  /** Tokens and passwords */
+  TOKEN: 4096,
+  /** URLs and image paths */
+  URL: 1024,
+  /** User agents */
+  USER_AGENT: 1024,
+  /** Verification identifiers */
+  VERIFICATION_ID: 255,
+} as const;