From c54294601bcfeb460ebd8ee65b81dfc8847068c3 Mon Sep 17 00:00:00 2001
From: wukko <me@wukko.me>
Date: Sat, 17 Aug 2024 00:13:26 +0600
Subject: [PATCH] api/core: limit authorization header length

---
 api/src/core/api.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/src/core/api.js b/api/src/core/api.js
index 44deb7c9..c039a305 100644
--- a/api/src/core/api.js
+++ b/api/src/core/api.js
@@ -157,7 +157,7 @@ export function runAPI(express, app, __dirname) {
                 return fail("error.api.auth.jwt.missing");
             }
 
-            if (!authorization.startsWith("Bearer ")) {
+            if (!authorization.startsWith("Bearer ") || authorization.length > 256) {
                 return fail("error.api.auth.jwt.invalid");
             }