review(analytics): drop bare catch, snapshot 400 body, add zip-bomb test

BilalG1 · BilalG1 · commit bd84d33df2a2 · 2026-05-04T17:08:57.000-07:00
- Remove inner try/catch in encodeAnalyticsBody; runtime compression
  errors now propagate to the existing Result.error in
  sendAnalyticsEventBatch instead of being swallowed silently.
- Convert the invalid-gzip test to toMatchInlineSnapshot for parity
  with other error-path tests.
- Add a regression test that gzips a 9 MB zero buffer to exercise the
  MAX_DECOMPRESSED_BYTES guard.
diff --git a/apps/e2e/tests/backend/endpoints/api/v1/analytics-events-batch.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/analytics-events-batch.test.ts
@@ -214,7 +214,36 @@ it("rejects a binary body that isn't valid gzip", async ({ expect }) => {
     rawBody: new Uint8Array([0, 1, 2, 3, 4, 5]),
   });
 
-  expect(res.status).toBe(400);
+  expect(res).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": "Invalid encoded analytics body",
+      "headers": Headers { <some fields may have been hidden> },
+    }
+  `);
+});
+
+it("rejects a gzipped body that decompresses past the server size cap", async ({ expect }) => {
+  await Project.createAndSwitch({ config: { magic_link_enabled: true } });
+  await Project.updateConfig({ apps: { installed: { analytics: { enabled: true } } } });
+  await Auth.Otp.signIn();
+
+  // 9 MB of zeros gzips to ~9 KB but decompresses past the 8 MB server cap.
+  const bomb = gzipSync(Buffer.alloc(9 * 1024 * 1024));
+
+  const res = await niceBackendFetch("/api/v1/analytics/events/batch", {
+    method: "POST",
+    accessType: "client",
+    rawBody: bomb,
+  });
+
+  expect(res).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": "Invalid encoded analytics body",
+      "headers": Headers { <some fields may have been hidden> },
+    }
+  `);
 });
 
 it("handles click event data containing a truncated surrogate pair (lone high surrogate)", async ({ expect }) => {
diff --git a/packages/stack-shared/src/interface/client-interface.ts b/packages/stack-shared/src/interface/client-interface.ts
@@ -136,13 +136,9 @@ async function encodeAnalyticsBody(jsonBody: string): Promise<{ body: BodyInit,
   if (typeof CompressionStreamCtor !== "function" || typeof Blob === "undefined" || typeof Response === "undefined") {
     return { body: jsonBody, contentType: "application/json" };
   }
-  try {
-    const stream = new Blob([jsonBody]).stream().pipeThrough(new CompressionStreamCtor("gzip"));
-    const buffer = await new Response(stream).arrayBuffer();
-    return { body: new Uint8Array(buffer), contentType: "application/octet-stream" };
-  } catch {
-    return { body: jsonBody, contentType: "application/json" };
-  }
+  const stream = new Blob([jsonBody]).stream().pipeThrough(new CompressionStreamCtor("gzip"));
+  const buffer = await new Response(stream).arrayBuffer();
+  return { body: new Uint8Array(buffer), contentType: "application/octet-stream" };
 }
 
 export class StackClientInterface {
