fix(profile): close PR #87 review nits — math comment + 413 at route

Two actionable observations from the self-review:

1. Comment math was wrong. 10M base64 chars decode to ~7.5 MB binary
   (4/3 expansion ratio), not ~5.6 MB. Rewrote the comment to make
   the relationship between the body cap and MAX_AVATAR_SIZE
   explicit, and to document that the actual binary cap fires below.

2. Decoded-byte size is now checked at the route layer with an
   explicit 413, instead of relying on _validate_upload deeper in
   the storage service. Two reasons:
   - Faster failure: bypassed-frontend callers eat 413 before any
     Supabase round-trip.
   - Easier route-test reasoning: the contract ("> MAX_AVATAR_SIZE
     binary bytes -> 413") lives at the route now.
   The storage-layer validate_upload check stays as defence in
   depth (and still fires for the surviving multipart-cosmetic
   endpoint, which doesn't have the route-level guard).

Added test_decoded_payload_over_size_cap_returns_413 that pins the
contract: a base64 payload that fits the Pydantic max_length but
decodes to MAX_AVATAR_SIZE + 1 bytes is rejected with 413 at the
route, AND `upload_avatar` is never called.

5 avatar tests pass. The other two minor observations from the
review (PR-body wording about the breaking contract change;
URL.createObjectURL heads-up) are not code changes — the first is a
PR-description tweak handled separately, the second is informational
only.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Jose-Gael-Cruz-Lopez

backend/routes/profile.py

@@ -10,6 +10,7 @@
 from fastapi import APIRouter, HTTPException, Request, UploadFile, File, Query
 from pydantic import BaseModel, Field
 
+from config import MAX_AVATAR_SIZE
 from db.connection import table
 from services.encryption import encrypt_if_present, decrypt_if_present
 from models import (
@@ -269,7 +270,12 @@ class _AvatarUploadBody(BaseModel):
     profile-PATCH endpoint successfully.
     """
 
-    file_b64: str = Field(..., max_length=10_000_000)  # ~7.5 MB base64 = ~5.6 MB binary
+    # 10M base64 chars upper-bounds the body before any decode work.
+    # Base64 expands binary by 4/3, so 10M chars decodes to ~7.5 MB
+    # binary — comfortably above MAX_AVATAR_SIZE (5 MB) and below any
+    # sensible JSON body limit. The actual binary cap is enforced
+    # below after decoding.
+    file_b64: str = Field(..., max_length=10_000_000)
     content_type: str = Field(default="image/png", max_length=64)
 
 
@@ -293,6 +299,18 @@ async def upload_user_avatar(user_id: str, body: _AvatarUploadBody, request: Req
     except Exception:
         raise HTTPException(status_code=400, detail="Invalid base64 payload")
 
+    # Enforce the binary size cap at the route layer so the 413 is
+    # immediate and the response shape matches the multipart endpoint
+    # the caller might still expect (per `services/storage_service.py
+    # ::_validate_upload`). Without this, the cap fires one layer
+    # deeper inside upload_avatar, which is correct but harder to
+    # reason about from a route-test perspective.
+    if len(file_bytes) > MAX_AVATAR_SIZE:
+        raise HTTPException(
+            status_code=413,
+            detail=f"File too large. Maximum size is {MAX_AVATAR_SIZE // (1024 * 1024)} MB",
+        )
+
     avatar_url = upload_avatar(user_id, file_bytes, body.content_type)
 
     table("users").update({"avatar_url": avatar_url}, filters={"id": f"eq.{user_id}"})

backend/tests/test_profile_routes.py

@@ -566,6 +566,32 @@ def test_missing_file_b64_returns_422(self):
             )
         assert r.status_code == 422
 
+    def test_decoded_payload_over_size_cap_returns_413(self):
+        """The route enforces MAX_AVATAR_SIZE on the *decoded* binary —
+        so a base64 payload that fits the Pydantic max_length but
+        decodes to more than 5 MB is rejected at the route layer with
+        a 413 (not at the storage layer). Mirrors the multipart
+        endpoint's validate_upload contract."""
+        import base64
+        from config import MAX_AVATAR_SIZE
+        # MAX + 1 binary bytes → just above the cap once decoded.
+        oversize_bytes = b"\x00" * (MAX_AVATAR_SIZE + 1)
+        oversize_b64 = base64.b64encode(oversize_bytes).decode("ascii")
+
+        with _mock_self(), \
+             patch("routes.profile.table", side_effect=self._table_factory()), \
+             patch("routes.profile.upload_avatar") as up:
+            r = client.post(
+                f"/api/profile/{USER_ID}/avatar",
+                json={"file_b64": oversize_b64, "content_type": "image/png"},
+            )
+
+        assert r.status_code == 413
+        assert "Maximum size" in r.json()["detail"]
+        # Storage layer must NOT have been called — the route should
+        # reject before bothering Supabase.
+        up.assert_not_called()
+
 
 # ── _get_user_or_404 column contract (issue #75) ────────────────────────────