From a8b2630c30e16d1a184eafa2e9619233f5d93317 Mon Sep 17 00:00:00 2001
From: Matt Gibson <mgibson@bitwarden.com>
Date: Tue, 20 Jan 2026 16:15:15 -0800
Subject: [PATCH] Configurable batch lookup size

this is low for now because under normal operations you'll be sharing a single identity, which will require single digits of lookups at once.

Testing and use-case may warrant an increase, eventually.
---
 akd/crates/reader/src/config.rs              |  7 +++++++
 akd/crates/reader/src/lib.rs                 |  3 +++
 akd/crates/reader/src/routes/batch_lookup.rs | 14 ++++++++------
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/akd/crates/reader/src/config.rs b/akd/crates/reader/src/config.rs
index d5652fc3f5..ee43275a1b 100644
--- a/akd/crates/reader/src/config.rs
+++ b/akd/crates/reader/src/config.rs
@@ -12,12 +12,19 @@ pub struct ApplicationConfig {
     /// The unique Bitwarden installation ID using this AKD reader instance.
     /// This value is used to namespace AKD data to a given installation.
     pub installation_id: Uuid,
+    /// Maximum number of labels allowed in a single batch lookup request. Defaults to 10.
+    #[serde(default = "default_max_batch_lookup_size")]
+    pub max_batch_lookup_size: usize,
 }
 
 fn default_web_server_bind_address() -> String {
     "127.0.0.1:3001".to_string()
 }
 
+fn default_max_batch_lookup_size() -> usize {
+    10
+}
+
 impl ApplicationConfig {
     /// Load configuration from multiple sources in order of priority:
     /// 1. Environment variables (prefixed with AKD_READER) - always applied with highest priority
diff --git a/akd/crates/reader/src/lib.rs b/akd/crates/reader/src/lib.rs
index b73ed25dfb..bbd0dcf6ed 100644
--- a/akd/crates/reader/src/lib.rs
+++ b/akd/crates/reader/src/lib.rs
@@ -20,6 +20,7 @@ struct AppState {
     directory: ReadOnlyDirectory<BitwardenV1Configuration, AkdDatabase, VrfKeyDatabase>,
     // TODO: use this to allow for unique failures for lookup and key history requests that have pending updates
     // publish_queue: ReadOnlyPublishQueueType,
+    max_batch_lookup_size: usize,
 }
 
 #[instrument(skip_all, name = "reader_start")]
@@ -35,10 +36,12 @@ pub async fn start(
 
     let mut shutdown_rx = shutdown_rx.resubscribe();
 
+    let max_batch_lookup_size = config.max_batch_lookup_size;
     let handle = tokio::spawn(async move {
         let app_state = AppState {
             directory: directory,
             // publish_queue: publish_queue,
+            max_batch_lookup_size,
         };
 
         let app = Router::new()
diff --git a/akd/crates/reader/src/routes/batch_lookup.rs b/akd/crates/reader/src/routes/batch_lookup.rs
index 9c1f69f7aa..ac7cebfbc1 100644
--- a/akd/crates/reader/src/routes/batch_lookup.rs
+++ b/akd/crates/reader/src/routes/batch_lookup.rs
@@ -22,7 +22,11 @@ pub struct BatchLookupData {
 
 #[instrument(skip_all)]
 pub async fn batch_lookup_handler(
-    State(AppState { directory, .. }): State<AppState>,
+    State(AppState {
+        directory,
+        max_batch_lookup_size,
+        ..
+    }): State<AppState>,
     Json(BatchLookupRequest { labels_b64 }): Json<BatchLookupRequest>,
 ) -> (StatusCode, Json<Response<BatchLookupData>>) {
     info!("Handling batch lookup request");
@@ -37,18 +41,16 @@ pub async fn batch_lookup_handler(
     }
 
     // Validate batch size
-    // TODO: make this configurable
-    const MAX_BATCH_SIZE: usize = 1000;
-    if labels_b64.len() > MAX_BATCH_SIZE {
+    if labels_b64.len() > max_batch_lookup_size {
         error!(
             batch_size = labels_b64.len(),
-            max_size = MAX_BATCH_SIZE,
+            max_size = max_batch_lookup_size,
             "Batch size exceeds limit"
         );
         return (
             StatusCode::BAD_REQUEST,
             Json(Response::error(ReaderError::BatchTooLarge {
-                limit: MAX_BATCH_SIZE,
+                limit: max_batch_lookup_size,
             })),
         );
     }