From 528e67ea615e20b7fbd57f2951d9285bd2306f02 Mon Sep 17 00:00:00 2001
From: jdl <jdl@private.local>
Date: Sat, 13 Jun 2026 15:06:14 +0200
Subject: [PATCH] Audit changes.

---
 hub/handlers.go | 4 +++-
 hub/main.go     | 9 +++++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/hub/handlers.go b/hub/handlers.go
index 7c9686c..c907f23 100644
--- a/hub/handlers.go
+++ b/hub/handlers.go
@@ -268,9 +268,11 @@ func (a *App) _peerInit(peer *api.Peer, w http.ResponseWriter, r *http.Request)
 		return nil
 	}
 
+	r.Body = http.MaxBytesReader(w, r.Body, 2048)
+
 	args := m.PeerInitArgs{}
 	if err := json.NewDecoder(r.Body).Decode(&args); err != nil {
-		return err
+		return errs.BadRequest.WithMsg("Invalid request body.")
 	}
 
 	if len(args.WGPubKey) != 32 {
diff --git a/hub/main.go b/hub/main.go
index dfa6f2e..8971e41 100644
--- a/hub/main.go
+++ b/hub/main.go
@@ -5,6 +5,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"time"
 
 	"git.crumpington.com/lib/go/webutil"
 )
@@ -30,8 +31,12 @@ func Main() {
 	}
 
 	srv := &http.Server{
-		Addr:    conf.ListenAddr,
-		Handler: app.Handler(),
+		Addr:              conf.ListenAddr,
+		Handler:           app.Handler(),
+		ReadHeaderTimeout: 30 * time.Second,
+		ReadTimeout:       60 * time.Second,
+		WriteTimeout:      120 * time.Second,
+		IdleTimeout:       180 * time.Second,
 	}
 
 	log.Fatal(webutil.ListenAndServe(srv))