[Validation] Missing max length constraints in authentication payload schemas

[udaycodespace]

Describe the bug

While reviewing authentication-related validation schemas, I noticed that some payload fields currently do not consistently enforce maximum length validation.

This was observed in authentication controllers using Zod schemas.

Where I found this

Files:

apps/public-api/src/controllers/userAuth.controller.js

apps/dashboard-api/src/controllers/auth.controller.js

Some fields such as email, password, OTP/token values, and related auth payloads appear to lack .max() constraints in certain validation paths.

To Reproduce

1. Open authentication-related controller validation schemas
2. Review Zod validation definitions
3. Observe that some fields define required/minimum validation but do not consistently define maximum length constraints

Expected behavior

Authentication payloads should consistently enforce reasonable maximum length validation for:

• email
• password
• username
• OTP/token fields
• auth-related string payloads

Impact

Without max length validation:

• extremely large payloads may unnecessarily consume resources
• validation behavior becomes inconsistent across auth flows
• oversized inputs may increase risk of abuse or unexpected edge cases

Proposed solution

I plan to:

• review existing Zod schemas used in authentication flows
• add reasonable .max() constraints where missing
• keep validation behavior consistent across auth endpoints
• avoid introducing breaking changes to existing payload formats

ETA

I’ll work on this and try to raise a PR by tonight.