Limit first name length to mitigate potential DoS

lang/en.yml

@@ -305,6 +305,7 @@ en:
       email_exists: Email is already taken
       first_name_invalid: First name is not a valid name
       first_name_required: First name is required
+      first_name_too_long: First name cannot be longer than %{max} characters
       inactive_at_earlier: Inactive time cannot be earlier than active time
       ip_address_required: IP address could not be determined
       last_name_invalid: Last name is not a valid name

spec/app/operations/mixins/validate_user_spec.cr

@@ -61,4 +61,15 @@ describe Mixins::ValidateUser do
       operation.last_name.should have_error("not a valid")
     end
   end
+
+  it "rejects long first name" do
+    SaveUser.create(params(
+      first_name: "f" * 300,
+      last_name: "Atta",
+      level: :author
+    )) do |operation, _|
+      operation.saved?.should be_false
+      operation.first_name.should have_error("longer than")
+    end
+  end
 end

src/operations/mixins/validate_user.cr

@@ -7,6 +7,8 @@ module Mixins::ValidateUser
 
       validate_first_name_valid
       validate_last_name_valid
+
+      validate_first_name_length
     end
 
     private def validate_first_name_required
@@ -32,5 +34,13 @@ module Mixins::ValidateUser
       validate_name last_name,
         message: Rex.t(:"operation.error.last_name_invalid")
     end
+
+    private def validate_first_name_length
+      max = 255
+
+      validate_size_of first_name,
+        max: max,
+        message: Rex.t(:"operation.error.first_name_too_long", max: max)
+    end
   end
 end