From f80e1c46407fd7833d613eea235dad68d8fc495d Mon Sep 17 00:00:00 2001
From: buttercat1791 <mjjurkoic@gmail.com>
Date: Wed, 18 Feb 2026 07:49:43 -0600
Subject: [PATCH] Make `limit` param required on filter query endpoint

---
 .../controllers/filter_controller.ex          | 31 ++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/lib/gc_index_relay_web/controllers/filter_controller.ex b/lib/gc_index_relay_web/controllers/filter_controller.ex
index 9f84d44..143afbc 100644
--- a/lib/gc_index_relay_web/controllers/filter_controller.ex
+++ b/lib/gc_index_relay_web/controllers/filter_controller.ex
@@ -48,6 +48,13 @@ defmodule GcIndexRelayWeb.FilterController do
   swagger_path :query do
     post("/api/events/filter")
     summary("Query events using a JSON filter in the request body.")
+
+    description("""
+      Returns a list of events matching the filter in descending order of created_at time.
+      Response is returned as a batch, not streamed, so a `limit` parameter is required to prevent
+      the response from getting too large.
+    """)
+
     tag("Events")
     operation_id("query_events")
     response(200, "OK", Schema.ref(:PubEventList))
@@ -58,11 +65,33 @@ defmodule GcIndexRelayWeb.FilterController do
   POST /api/events/filter - Query events using a JSON filter in the request body.
   """
   def query(conn, filter_params) do
-    with {:ok, events} <- Nostr.query_events(filter_params) do
+    with {:ok, filter} <- validate_required_params(filter_params),
+         {:ok, filter} <- validate_param_values(filter),
+         {:ok, events} <- Nostr.query_events(filter) do
       render(conn, :index, events: events)
     end
   end
 
+  @spec validate_required_params(map()) :: {:ok, map()} | {:error, String.t()}
+  def validate_required_params(params) do
+    if not Map.has_key?(params, "limit") do
+      {:error, "The filter must specify a limit."}
+    else
+      {:ok, params}
+    end
+  end
+
+  @spec validate_param_values(map()) :: {:ok, map()} | {:error, String.t()}
+  def validate_param_values(params) do
+    %{:limit => limit} = params
+
+    if limit < 1 or limit > 100 do
+      {:error, "The filter limit must be between 1 and 100."}
+    else
+      {:ok, params}
+    end
+  end
+
   # Parse query parameters into a NIP-01 filter map
   @spec parse_query_params(map()) :: {:ok, map()} | {:error, String.t()}
   defp parse_query_params(params) do