Security Flaw in Web UI Login: Unbounded Request Body Exposes Denial-of-Service Risk

A critical security oversight in the web server's login handler creates a direct path for memory and CPU denial-of-service attacks. The vulnerability stems from the `/login` endpoint accepting unbounded form data bodies, unlike other authenticated endpoints which enforce strict size limits. Specifically, the handler calls `req.formData()` directly, parsing the entire request payload before any password verification occurs. This design flaw makes the login page an easy target for resource exhaustion in any deployment where the Web UI is exposed and password authentication is enabled.

The affected code is concentrated in `src/web/server.ts` and several route handlers, leaving the login endpoint uniquely unprotected. While other write endpoints utilize `readJsonBody(..., MAX_WEB_JSON_BODY_BYTES)` to reject oversized payloads with a 413 error, the login handler lacks this safeguard. This inconsistency creates a glaring attack surface: any network client capable of reaching the Web UI can bombard the `/login` endpoint with massive, unvalidated form data, consuming server resources.

The severity is classified as P2, indicating a significant security concern that requires prompt attention. The vulnerability is particularly dangerous because the login endpoint is intentionally accessible before authentication, removing a key barrier for potential attackers. The codebase already recognizes oversized request bodies as a security consideration elsewhere, making this omission a clear deviation from established protective patterns. This flaw could lead to service degradation or complete unavailability in targeted deployments.