The fix for GHSA-fpxj-m5q8-fphw only capped POST /api/v1/send.
Four sibling endpoints (SetReadStatus, DeleteMessages, SetMessageTags,
ReleaseMessage) decoded json.NewDecoder(r.Body) with no size limit,
allowing an unauthenticated attacker to drive unbounded memory growth
via a large IDs array.
Apply a 5 MB cap in middleWareFunc so all current and future API
handlers inherit it automatically. POST /api/v1/send is exempt via a
bodyLimitKey context value set in sendAPIAuthMiddleware, preserving
its existing config.MaxMessageSize (default 50 MB) limit.
Also fix TestAPIv1SendMaxMessageSize, which was broken by a Go 1.26
change: json.Decoder now wraps reader errors in *json.SyntaxError
rather than returning *http.MaxBytesError directly, causing the
errors.As check to miss it and return 400 instead of 413. Reading
the body with io.ReadAll before decoding surfaces the raw error,
restoring correct 413 behaviour on Go 1.25 and 1.26.
- Removed deprecated `thumbnailParams` struct from `thumbnails.go`.
- Updated `server_test.go` to use an anonymous struct for response unmarshalling.
- Enhanced `swagger.json` with detailed definitions for SendRequest and SendMessageResponse.
- Introduced new `swaggerParams.go` to define Swagger parameters for various API endpoints.
- Created `swaggerResponses.go` to define Swagger responses for API endpoints.
- Cleaned up unused JSON error message definitions and consolidated error responses.
- Improved documentation for Chaos triggers and web UI configuration responses.
- Updated error handling to use the error return value for resource closures in tests and functions, ensuring proper error reporting.
- Replaced direct calls to `Close()` with deferred functions that handle errors gracefully.
- Improved readability by using `strings.ReplaceAll` instead of `strings.Replace` for string manipulation.
- Enhanced network connection handling by adding default cases for unsupported network types.
- Updated HTTP response handling to use the appropriate status codes and error messages.
- Removed unused variables and commented-out code to clean up the codebase.
