update

backend/src/controllers/settings.controller.ts

@@ -78,6 +78,17 @@ class SettingsController {
     try {
       const userId = (req as any).user.id;
       const preferences = req.body;
+
+      // Basic validation — reject excessively large or non-object payloads
+      if (typeof preferences !== 'object' || preferences === null || Array.isArray(preferences)) {
+        res.status(400).json({ success: false, message: 'Preferences must be a JSON object' });
+        return;
+      }
+      if (JSON.stringify(preferences).length > 10_000) {
+        res.status(400).json({ success: false, message: 'Preferences payload too large' });
+        return;
+      }
+
       await pool.query(
         'UPDATE users SET preferences = $1 WHERE id = $2',
         [JSON.stringify(preferences), userId]