Add body limit and Prometheus metrics middleware

Introduces a body size limit middleware to protect against large payload attacks, configurable via the RustApi builder. Adds Prometheus-based metrics middleware (feature-gated) with a /metrics endpoint, and exposes error environment configuration and error IDs for improved error handling and observability. Updates dependencies and public API exports accordingly.

Author: Tuntii

Cargo.lock

@@ -60,6 +60,12 @@ inventory = "0.3"
 # Validation
 validator = { version = "0.18", features = ["derive"] }
 
+# UUID
+uuid = { version = "1.6", features = ["v4"] }
+
+# Metrics
+prometheus = "0.13"
+
 # OpenAPI
 utoipa = { version = "4.2" }
 

Cargo.toml

@@ -40,13 +40,17 @@ thiserror = { workspace = true }
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }
 inventory = { workspace = true }
+uuid = { workspace = true }
 
 # Cookies (optional)
 cookie = { version = "0.18", optional = true }
 
 # Validation
 rustapi-validate = { workspace = true }
 
+# Metrics (optional)
+prometheus = { workspace = true, optional = true }
+
 # SQLx (optional)
 sqlx = { version = "0.8", optional = true, default-features = false }
 
@@ -62,3 +66,4 @@ swagger-ui = ["rustapi-openapi/swagger-ui"]
 test-utils = []
 cookies = ["dep:cookie"]
 sqlx = ["dep:sqlx"]
+metrics = ["dep:prometheus"]

crates/rustapi-core/Cargo.toml

@@ -0,0 +1,7 @@
+# Seeds for failure cases proptest has generated in the past. It is
+# automatically read and these particular cases re-run before any
+# novel cases are generated.
+#
+# It is recommended to check this file in to source control so that
+# everyone who runs the test benefits from these saved cases.
+cc 8650e551b5fa0957402d6dd6c864be825443b29eb5b8972df6ef70e9ee040b20 # shrinks to sensitive_message = "-", internal_details = "0", status_code = 500

crates/rustapi-core/proptest-regressions/error.txt

@@ -1,7 +1,7 @@
 //! RustApi application builder
 
 use crate::error::Result;
-use crate::middleware::{LayerStack, MiddlewareLayer};
+use crate::middleware::{BodyLimitLayer, LayerStack, MiddlewareLayer, DEFAULT_BODY_LIMIT};
 use crate::router::{MethodRouter, Router};
 use crate::server::Server;
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilter};
@@ -27,6 +27,7 @@ pub struct RustApi {
     router: Router,
     openapi_spec: rustapi_openapi::OpenApiSpec,
     layers: LayerStack,
+    body_limit: Option<usize>,
 }
 
 impl RustApi {
@@ -48,9 +49,52 @@ impl RustApi {
                 .register::<rustapi_openapi::ValidationErrorSchema>()
                 .register::<rustapi_openapi::FieldErrorSchema>(),
             layers: LayerStack::new(),
+            body_limit: Some(DEFAULT_BODY_LIMIT), // Default 1MB limit
         }
     }
 
+    /// Set the global body size limit for request bodies
+    ///
+    /// This protects against denial-of-service attacks via large payloads.
+    /// The default limit is 1MB (1024 * 1024 bytes).
+    ///
+    /// # Arguments
+    ///
+    /// * `limit` - Maximum body size in bytes
+    ///
+    /// # Example
+    ///
+    /// ```rust,ignore
+    /// use rustapi_rs::prelude::*;
+    ///
+    /// RustApi::new()
+    ///     .body_limit(5 * 1024 * 1024)  // 5MB limit
+    ///     .route("/upload", post(upload_handler))
+    ///     .run("127.0.0.1:8080")
+    ///     .await
+    /// ```
+    pub fn body_limit(mut self, limit: usize) -> Self {
+        self.body_limit = Some(limit);
+        self
+    }
+
+    /// Disable the body size limit
+    ///
+    /// Warning: This removes protection against large payload attacks.
+    /// Only use this if you have other mechanisms to limit request sizes.
+    ///
+    /// # Example
+    ///
+    /// ```rust,ignore
+    /// RustApi::new()
+    ///     .no_body_limit()  // Disable body size limit
+    ///     .route("/upload", post(upload_handler))
+    /// ```
+    pub fn no_body_limit(mut self) -> Self {
+        self.body_limit = None;
+        self
+    }
+
     /// Add a middleware layer to the application
     ///
     /// Layers are executed in the order they are added (outermost first).
@@ -336,7 +380,13 @@ impl RustApi {
     ///     .run("127.0.0.1:8080")
     ///     .await
     /// ```
-    pub async fn run(self, addr: &str) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+    pub async fn run(mut self, addr: &str) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
+        // Apply body limit layer if configured (should be first in the chain)
+        if let Some(limit) = self.body_limit {
+            // Prepend body limit layer so it's the first to process requests
+            self.layers.prepend(Box::new(BodyLimitLayer::new(limit)));
+        }
+        
         let server = Server::new(self.router, self.layers);
         server.run(addr).await
     }