[ANCHOR-1185] Add XDR size validation in SEP-10 and SEP-45 auth endpoint (#1917)

### Description

- Add 50KB size limit on `transaction` field in SEP-10 POST `/auth`
before XDR parsing
- Reduce existing SEP-45 `authorization_entries` size limit from 100KB
to 50KB

### Context

Valid SEP-10/SEP-45 auth payloads are small (a few KB). Limiting input
size before XDR deserialization prevents unnecessary memory allocation
from oversized payloads.

### Testing

- `./gradlew test`

### Documentation

N/A

### Known limitations

N/A

Author: JiahuiWho

core/src/main/java/org/stellar/anchor/sep10/Sep10Service.java

@@ -511,10 +511,14 @@ String fetchClientDomain(ChallengeTransaction challenge) {
 
   ChallengeTransaction parseChallenge(ValidationRequest request) throws SepValidationException {
 
-    if (request == null || request.getTransaction() == null) {
+    if (request == null || isEmpty(request.getTransaction())) {
       throw new SepValidationException("{transaction} is required.");
     }
 
+    if (request.getTransaction().length() > 50_000) {
+      throw new SepValidationException("transaction exceeds maximum allowed size");
+    }
+
     String transaction = request.getTransaction();
     Network network = new Network(stellarNetworkConfig.getStellarNetworkPassphrase());
     String homeDomain = extractHomeDomainFromChallengeXdr(transaction, network);

core/src/main/java/org/stellar/anchor/sep45/Sep45Service.java

@@ -180,7 +180,7 @@ public ValidationResponse validate(ValidationRequest request) throws AnchorExcep
       throw new BadRequestException("authorization_entries is required");
     }
 
-    if (request.getAuthorizationEntries().length() > 100_000) {
+    if (request.getAuthorizationEntries().length() > 50_000) {
       throw new BadRequestException("authorization_entries exceeds maximum allowed size");
     }
 

core/src/test/kotlin/org/stellar/anchor/sep10/Sep10ServiceTest.kt

@@ -280,6 +280,14 @@ internal class Sep10ServiceTest {
     assertThrows<SepValidationException> { sep10Service.validateChallenge(vr) }
   }
 
+  @Test
+  fun `Test validate challenge rejects oversized transaction`() {
+    val vr = ValidationRequest()
+    vr.transaction = "A".repeat(50_001)
+    val ex = assertThrows<SepValidationException> { sep10Service.validateChallenge(vr) }
+    assertEquals("transaction exceeds maximum allowed size", ex.message)
+  }
+
   @Test
   @LockAndMockStatic([Sep10Challenge::class])
   fun `Test validate challenge with bad home domain failure`() {

core/src/test/kotlin/org/stellar/anchor/sep45/Sep45ServiceTest.kt

@@ -192,6 +192,16 @@ class Sep45ServiceTest {
     assertEquals("authorization_entries is required", ex.message)
   }
 
+  @Test
+  fun `test validate throws BadRequestException when auth entries exceed max size`() {
+    val validationRequest =
+      ValidationRequest.builder().authorizationEntries("A".repeat(50_001)).build()
+
+    val ex =
+      assertThrows(BadRequestException::class.java) { sep45Service.validate(validationRequest) }
+    assertEquals("authorization_entries exceeds maximum allowed size", ex.message)
+  }
+
   @Test
   fun `test validate throws BadRequestException when auth entries list empty`() {
     val emptyAuth = SorobanAuthorizationEntries(arrayOf())