fix(api/v2): align avatar upload body limit with global overhead

kolaente · kolaente · commit 0221b13f7d08 · 2026-05-31T21:07:31.000+02:00
MaxBodyBytes was set to exactly the configured max file size, but a
multipart request carries extra bytes (boundary, part headers) on top of
the file, so a file at the limit could be rejected by Huma before the
handler runs. Mirror the +2 MB overhead that Echo's global BodyLimit
middleware already allows so a max-sized avatar isn't rejected.
diff --git a/pkg/routes/api/v2/avatar_upload.go b/pkg/routes/api/v2/avatar_upload.go
@@ -68,9 +68,12 @@ func RegisterAvatarRoutes(api huma.API) {
 		Tags:        tags,
 		// Avatars can be larger than Huma's 1 MB default body limit; allow up to
 		// the configured max file size so legitimate uploads aren't rejected before
-		// the handler runs. Echo's global BodyLimit middleware still caps the total.
+		// the handler runs. The total multipart request is larger than the file
+		// itself (boundary, part headers), so mirror the +2 MB overhead Echo's
+		// global BodyLimit middleware (pkg/routes/routes.go) already allows;
+		// otherwise a file at exactly the limit could be rejected by Huma.
 		// #nosec G115 - configured value won't exceed int64 max in practice.
-		MaxBodyBytes:  int64(config.GetMaxFileSizeInMBytes()) * 1024 * 1024,
+		MaxBodyBytes:  (int64(config.GetMaxFileSizeInMBytes()) + 2) * 1024 * 1024,
 		DefaultStatus: http.StatusOK,
 	}, avatarUpload)
 }
