Idempotency-Key im 800 karakter uzunlugundaydi — POS sync app yavasladi, defense-in-depth storage bloat (PR #661 XI F4)

Eskisehir Odunpazari "Kahve Cekirdegi" specialty coffee sahibi Aysegul (33), freelance iOS dev Berkay yapmis app her 90 sn POS sync POST atiyor. Aysegul: "siparis POST 4-5 saniye yavas". thMenu support: idempotency_keys table 12,847 row, bazi key 800 karakter uzunlugunda. Berkay yanlis Idempotency-Key formati gondermis: uuid + device + timestamp + sequence + audit metadata = 809 char, her call farkli key (retry-safety bozuk + storage bloat). Forensik: 4 endpoint (orders, payments/create, loyalty/redeem, products) Idempotency-Key i sadece presence check, NO length cap NO charset allowlist. Stripe spec 255 + alphanumeric/-_.:, Square 192. Authenticated attacker scenario: 10MB binary blob Idempotency-Key + rate-limit-allowed burst = D1 5GB quota 30 saniyede dolar, QUOTA_EXCEEDED tum writes fail. **PR #661 batch XI F4** fix: 4 endpoint e inline check eklendi: `if (idempotencyKey && (length > 255 || !/^[A-Za-z0-9-_.:]+$/.test(...))) return 400 invalid_idempotency_key`. Stripe ceiling 255 + UUID/hex/namespaced supporting charset. Optional vs required handled. Aysegul/Berkay app refactored: order-{uuid} ~42 char stable across retries; 14 gun TTL prune dongusu sonra POST latency 200ms a dustu. Pattern: client-supplied header primary/cache key olunca length + charset cap zorunlu; presence-only check defense-in-depth a yeterli degil.

İlgili makaleler