This comprehensive request size limiting system prevents memory exhaustion and DoS attacks from oversized requests.
Key features:
- Global request size limit: 50MB (configurable)
- Type-specific limits: 25MB for audio, 1MB for JSON, 10MB for images
- Multi-layer validation before loading data into memory
- File type detection based on extensions
- Endpoint-specific limit enforcement
- Dynamic configuration via admin API
- Clear error messages with size information
Implementation details:
- RequestSizeLimiter middleware with Flask integration
- Pre-request validation using Content-Length header
- File size checking for multipart uploads
- JSON payload size validation
- Custom decorator for route-specific limits
- StreamSizeLimiter for chunked transfers
- Integration with Flask's MAX_CONTENT_LENGTH
Admin features:
- GET /admin/size-limits - View current limits
- POST /admin/size-limits - Update limits dynamically
- Human-readable size formatting in responses
- Size limit info in health check endpoints
Security benefits:
- Prevents memory exhaustion attacks
- Blocks oversized uploads before processing
- Protects against buffer overflow attempts
- Works with rate limiting for comprehensive protection
This addresses the critical security issue of unbounded request sizes that could lead to memory exhaustion or system crashes.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
This comprehensive session management system tracks and automatically cleans up resources associated with user sessions, preventing resource exhaustion and disk space issues.
Key features:
- Automatic tracking of all session resources (audio files, temp files, streams)
- Per-session resource limits (100 files max, 100MB storage max)
- Automatic cleanup of idle sessions (15 minutes) and expired sessions (1 hour)
- Background cleanup thread runs every minute
- Real-time monitoring via admin endpoints
- CLI commands for manual management
- Integration with Flask request lifecycle
Implementation details:
- SessionManager class manages lifecycle of UserSession objects
- Each session tracks resources with metadata (type, size, creation time)
- Automatic resource eviction when limits are reached (LRU policy)
- Orphaned file detection and cleanup
- Thread-safe operations with proper locking
- Comprehensive metrics and statistics export
- Admin API endpoints for monitoring and control
Security considerations:
- Sessions tied to IP address and user agent
- Admin endpoints require authentication
- Secure file path handling
- Resource limits prevent DoS attacks
This addresses the critical issue of temporary file accumulation that could lead to disk exhaustion in production environments.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Remove hardcoded TTS API key from app.py (major security vulnerability)
- Add python-dotenv support for secure environment variable management
- Create .env.example with configuration template
- Add comprehensive SECURITY.md documentation
- Update README with security configuration instructions
- Add warning when TTS_API_KEY is not configured
- Enhance .gitignore to prevent accidental commits of .env files
BREAKING CHANGE: TTS_API_KEY must now be set via environment variable or .env file
Security measures:
- API keys must be provided via environment variables
- Added dotenv support for local development
- Clear documentation on secure deployment practices
- Multiple .env file patterns in .gitignore
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Implement ConnectionManager with exponential backoff retry strategy
- Add automatic connection monitoring and health checks
- Update RequestQueueManager to integrate with connection state
- Create ConnectionUI component for visual connection status
- Queue requests during offline periods and process when online
- Add comprehensive error handling for network-related failures
- Create detailed documentation for connection retry features
- Support manual retry and automatic recovery
Features:
- Real-time connection status indicator
- Offline banner with retry button
- Request queue visualization
- Priority-based request processing
- Configurable retry parameters
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add flask-cors dependency and configure CORS with security best practices
- Support configurable CORS origins via environment variables
- Separate admin endpoint CORS configuration for enhanced security
- Create comprehensive CORS configuration documentation
- Add apiClient utility for CORS-aware frontend requests
- Include CORS test page for validation
- Update README with CORS configuration instructions
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
