[freeradius] Add max_length validation for called_station_id in PostA…

…uthSerializer openwisp#467

Updated the PostAuthSerializer to include a `max_length` attribute of 50 for the `called_station_id` field.
This ensures that requests exceeding the character limit return an HTTP 400 error with an appropriate error message.

Fixes openwisp#467

openwisp_radius/api/serializers.py

@@ -120,7 +120,9 @@ class RadiusPostAuthSerializer(serializers.ModelSerializer):
         allow_blank=True,
         style={'input_type': 'password'},
     )
-    called_station_id = serializers.CharField(required=False, allow_blank=True)
+    called_station_id = serializers.CharField(
+        required=False, allow_blank=True, max_length=50
+    )
     calling_station_id = serializers.CharField(required=False, allow_blank=True)
 
     def validate(self, data):

openwisp_radius/tests/test_api/test_freeradius_api.py

@@ -298,6 +298,18 @@ def test_postauth_400(self):
         self.assertEqual(RadiusPostAuth.objects.all().count(), 0)
         self.assertEqual(response.status_code, 400)
 
+    def test_postauth_called_station_id_max_length_50_exceed_400(self):
+        params = {'called_station_id': 'C0-4A-00-EE-D1-0D:' + 'A' * 50}
+        params = self._get_postauth_params(**params)
+        response = self.client.post(
+            reverse('radius:postauth'), params, HTTP_AUTHORIZATION=self.auth_header
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertEqual(
+            response.data['called_station_id'][0],
+            'Ensure this field has no more than 50 characters.',
+        )
+
     @capture_any_output()
     def test_postauth_no_token_403(self):
         response = self.client.post(reverse('radius:postauth'), {'username': 'tester'})