Merge pull request #4 from StacLabs/max-body-size

Configure max payload size

Author: jonhealy1

CHANGELOG.md

@@ -5,7 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.2] - 2026-03-30
+
+### Added
+- **Configurable Payload Limits**: Introduced the `MAX_BODY_SIZE_MB` environment variable, allowing operators to tune the maximum allowed size for incoming STAC batches (defaults to 150MB).
+
 ## [0.1.1] - 2026-03-29
+
 ### Added
 - **Intelligent Batch Logging**: Enhanced the `/validate` endpoint with high-visibility logging for both single-item and bulk `ItemCollection` requests.
 - **Error Aggregation**: Implemented a frequency-based error summarizer for large batches. Instead of flooding logs, the service now identifies and counts unique failure reasons (e.g., "Top failure reason (99/100): 'datetime' is required").
@@ -14,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Project Tooling**: Added a `Makefile` and `go test` suite to standardize the contributor workflow and ensure build stability. [#3](https://github.com/StacLabs/gostac-validator/pull/3)
 
 ## [0.1.0] - 2026-03-29
+
 ### Added
 - Core STAC validation engine with PCRE regex (`^(?!eo:)`) support via `regexp2`.
 - Lossless float decoding for STAC geographic coordinates.
@@ -22,6 +29,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - High-performance CLI tool for local STAC validation.
 - Dockerfile for microservice deployment.
 
-[Unreleased]: https://github.com/StacLabs/gostac-validator/compare/v0.1.1...HEAD
+[Unreleased]: https://github.com/StacLabs/gostac-validator/compare/v0.1.2...HEAD
+[0.1.2]: https://github.com/StacLabs/gostac-validator/compare/v0.1.1...v0.1.2
 [0.1.1]: https://github.com/StacLabs/gostac-validator/compare/v0.1.0...v0.1.1
 [0.1.0]: https://github.com/StacLabs/gostac-validator/releases/tag/v0.1.0

README.md

@@ -20,8 +20,9 @@ It drops validation times from ~2,500ms (network-bound) down to **~0.24ms** (RAM
 1. [Installation & Build](#installation--build)
 2. [CLI Usage](#cli-usage)
 3. [Microservice Usage](#microservice-usage)
-4. [Benchmarking & Performance](#benchmarking--performance)
-5. [Architecture Overview](#architecture-overview)
+4. [Configuration](#configuration)
+5. [Benchmarking & Performance](#benchmarking--performance)
+6. [Architecture Overview](#architecture-overview)
 
 ---
 
@@ -78,10 +79,22 @@ The CLI tool is perfect for local testing, CI/CD pipelines, or ad-hoc validation
 
 The HTTP server uses a thread-safe `sync.Map` to cache compiled schemas. It is designed to sit behind an ingestor API (like FastAPI) and process thousands of concurrent validation requests safely.
 
+## Configuration
+
+The STAC Validator Microservice can be tuned via environment variables to handle different infrastructure requirements and payload sizes.
+
+| Variable | Description | Default |
+| :--- | :--- | :--- |
+| `ADDR` | The network address and port for the server to listen on. | `:8080` |
+| `MAX_BODY_SIZE_MB` | The maximum allowed size of an incoming POST request in Megabytes. | `150` |
+
 ### Start the server:
 ```bash
+# Start with default 150MB limit
 ./stac-server
-# 🚀 STAC Validation Server running on http://localhost:8080/validate
+
+# Start with a custom 512MB limit for large batches
+MAX_BODY_SIZE_MB=512 ./stac-server
 ```
 
 ### Test via cURL:

internal/server/handlers.go

@@ -9,6 +9,8 @@ import (
 	"encoding/json"
 	"log"
 	"net/http"
+	"os"
+	"strconv"
 	"sync"
 	"time"
 
@@ -165,9 +167,29 @@ func (h *Handler) Health(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
 }
 
-// readBody handles reading the request with a 150MB limit.
+// getBodyLimit returns the limit in bytes from MAX_BODY_SIZE_MB env var,
+// defaulting to 150MB.
+func getBodyLimit() int64 {
+	const defaultLimitMB = 150
+	limitStr := os.Getenv("MAX_BODY_SIZE_MB")
+	if limitStr == "" {
+		return defaultLimitMB << 20
+	}
+
+	limitMB, err := strconv.ParseInt(limitStr, 10, 64)
+	if err != nil {
+		// Log the error or just return default
+		return defaultLimitMB << 20
+	}
+
+	return limitMB << 20
+}
+
+// readBody handles reading the request with a configurable limit.
 func readBody(w http.ResponseWriter, r *http.Request) ([]byte, error) {
-	const maxBytes = 150 << 20
+	// Dynamically fetch the limit
+	maxBytes := getBodyLimit()
+
 	r.Body = http.MaxBytesReader(w, r.Body, maxBytes)
 	var buf bytes.Buffer
 	if _, err := buf.ReadFrom(r.Body); err != nil {

internal/server/server_test.go

@@ -0,0 +1,140 @@
+package server
+
+import (
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+)
+
+func TestGetBodyLimit(t *testing.T) {
+	// Table-driven tests for environment variable parsing
+	tests := []struct {
+		name     string
+		envValue string
+		expected int64
+	}{
+		{
+			name:     "Default value when unset",
+			envValue: "",
+			expected: 150 << 20, // 150 MB
+		},
+		{
+			name:     "Valid custom value",
+			envValue: "500",
+			expected: 500 << 20, // 500 MB
+		},
+		{
+			name:     "Invalid string falls back to default",
+			envValue: "not_a_number",
+			expected: 150 << 20, // 150 MB
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Setup environment
+			if tt.envValue != "" {
+				os.Setenv("MAX_BODY_SIZE_MB", tt.envValue)
+			} else {
+				os.Unsetenv("MAX_BODY_SIZE_MB")
+			}
+
+			// Clean up after test
+			t.Cleanup(func() {
+				os.Unsetenv("MAX_BODY_SIZE_MB")
+			})
+
+			got := getBodyLimit()
+			if got != tt.expected {
+				t.Errorf("getBodyLimit() = %d bytes, want %d bytes", got, tt.expected)
+			}
+		})
+	}
+}
+
+func TestReadBody_LimitExceeded(t *testing.T) {
+	// Set the limit artificially low (1 MB)
+	os.Setenv("MAX_BODY_SIZE_MB", "1")
+	t.Cleanup(func() { os.Unsetenv("MAX_BODY_SIZE_MB") })
+
+	// Create a 2MB dummy payload
+	bigPayload := bytes.Repeat([]byte("a"), 2<<20)
+
+	req := httptest.NewRequest(http.MethodPost, "/validate", bytes.NewReader(bigPayload))
+	w := httptest.NewRecorder()
+
+	_, err := readBody(w, req)
+	if err == nil {
+		t.Fatal("Expected an error when reading body larger than limit, got nil")
+	}
+
+	// http.MaxBytesReader returns an error containing "request body too large"
+	if err.Error() != "http: request body too large" {
+		t.Errorf("Expected 'request body too large' error, got: %v", err)
+	}
+}
+
+func TestValidateHandler_PayloadTooLarge(t *testing.T) {
+	// Set the limit artificially low (1 MB)
+	os.Setenv("MAX_BODY_SIZE_MB", "1")
+	t.Cleanup(func() { os.Unsetenv("MAX_BODY_SIZE_MB") })
+
+	// We can pass nil for the validator because the body limit check
+	// happens before the handler attempts to use the validator!
+	handler := NewHandler(nil)
+
+	// Create a 2MB dummy payload
+	bigPayload := bytes.Repeat([]byte(`{"type":"Feature"}`), 100000)
+
+	req := httptest.NewRequest(http.MethodPost, "/validate", bytes.NewReader(bigPayload))
+	w := httptest.NewRecorder()
+
+	handler.Validate(w, req)
+
+	res := w.Result()
+	defer res.Body.Close()
+
+	// Ensure the server rejected it as a Bad Request
+	if res.StatusCode != http.StatusBadRequest {
+		t.Errorf("Expected status %d, got %d", http.StatusBadRequest, res.StatusCode)
+	}
+
+	// Verify the JSON error message
+	var errResponse map[string]string
+	if err := json.NewDecoder(res.Body).Decode(&errResponse); err != nil {
+		t.Fatalf("Failed to decode response JSON: %v", err)
+	}
+
+	expectedErrFragment := "could not read request body"
+	if errStr, ok := errResponse["error"]; !ok || len(errStr) < len(expectedErrFragment) || errStr[:len(expectedErrFragment)] != expectedErrFragment {
+		t.Errorf("Expected error starting with '%s', got '%s'", expectedErrFragment, errStr)
+	}
+}
+
+func TestHealthHandler(t *testing.T) {
+	handler := NewHandler(nil)
+
+	req := httptest.NewRequest(http.MethodGet, "/health", nil)
+	w := httptest.NewRecorder()
+
+	handler.Health(w, req)
+
+	res := w.Result()
+	defer res.Body.Close()
+
+	if res.StatusCode != http.StatusOK {
+		t.Errorf("Expected status 200, got %d", res.StatusCode)
+	}
+
+	var response map[string]string
+	if err := json.NewDecoder(res.Body).Decode(&response); err != nil {
+		t.Fatalf("Failed to decode response: %v", err)
+	}
+
+	if status, ok := response["status"]; !ok || status != "ok" {
+		t.Errorf("Expected status='ok', got %v", response)
+	}
+}