Use DefaultBodyLimit to prevent json request parsing DDoS

[gtema]

AI identified a potential for the DDoS in JSON request parsing. While axum already implements body limits it makes sense to document this explicitly and provide operator with configuration options to fine-tune this.
https://docs.rs/axum/latest/axum/extract/struct.DefaultBodyLimit.html
It must be noted that the python Keystone is also "vulnerable" to this attack due to the lack of explicit documentation.

[gtema]

VULNERABLE PATTERN:

// VULNERABLE: No size limit on request body
async fn handle_request(body: String) -> Result<Response> {
    let data: serde_json::Value = serde_json::from_str(&body)?;
    // Process unlimited-size payload
}

ATTACK VECTOR:

• Send extremely large JSON payloads (multi-gigabyte)
• Cause memory exhaustion and OOM killer
• Send deeply nested JSON structures causing stack overflow
• JSON bomb attacks (small compressed payload expands massively)
• Exhaust parser resources

IMPACT:

• Memory exhaustion and service crash
• Complete service unavailability
• Resource starvation affecting other services
• Potential host system crash

REMEDIATION:

use actix_web::web::Bytes;
const MAX_BODY_SIZE: usize = 256 * 1024; // 256KB limit

async fn handle_request(body: Bytes) -> Result<Response> {
    if body.len() > MAX_BODY_SIZE {
        return Err(ErrorPayloadTooLarge("Request body exceeds limit"));
    }
    
    // Set recursion depth limit for nested structures
    let data: serde_json::Value = serde_json::from_slice(&body)
        .map_err(|e| ErrorBadRequest(format!("Invalid JSON: {}", e)))?;
    
    // Validate JSON depth
    if json_depth(&data) > 10 {
        return Err(ErrorBadRequest("JSON nesting too deep"));
    }
    
    Ok(process_data(data))
}