[comp] Production Deploy

apps/api/package.json

@@ -40,7 +40,7 @@
         "ai": "^5.0.60",
         "archiver": "^7.0.1",
         "axios": "^1.12.2",
-        "better-auth": "^1.3.27",
+        "better-auth": "^1.4.22",
         "class-transformer": "^0.5.1",
         "class-validator": "^0.14.2",
         "dotenv": "^17.2.3",

apps/api/src/utils/file-type-validation.spec.ts

@@ -46,4 +46,30 @@ describe('validateFileContent', () => {
     const csvBuffer = Buffer.from('name,email\njohn,john@example.com');
     expect(() => validateFileContent(csvBuffer, 'text/csv', 'data.csv')).not.toThrow();
   });
+
+  it('should accept a valid WebP file', () => {
+    // WebP: RIFF (4 bytes) + size (4 bytes) + WEBP (4 bytes)
+    const webpBuffer = Buffer.alloc(16);
+    webpBuffer.write('RIFF', 0);
+    webpBuffer.writeUInt32LE(8, 4);
+    webpBuffer.write('WEBP', 8);
+    expect(() => validateFileContent(webpBuffer, 'image/webp', 'photo.webp')).not.toThrow();
+  });
+
+  it('should reject a WAV file disguised as WebP', () => {
+    // WAV also starts with RIFF but has WAVE at offset 8, not WEBP
+    const wavBuffer = Buffer.alloc(16);
+    wavBuffer.write('RIFF', 0);
+    wavBuffer.writeUInt32LE(8, 4);
+    wavBuffer.write('WAVE', 8);
+    expect(() => validateFileContent(wavBuffer, 'image/webp', 'fake.webp')).toThrow(BadRequestException);
+  });
+
+  it('should reject a RIFF file with script content disguised as WebP', () => {
+    const malicious = Buffer.alloc(64);
+    malicious.write('RIFF', 0);
+    malicious.writeUInt32LE(56, 4);
+    malicious.write('AVI ', 8); // Not WEBP
+    expect(() => validateFileContent(malicious, 'image/webp', 'evil.webp')).toThrow(BadRequestException);
+  });
 });

apps/api/src/utils/file-type-validation.ts

@@ -4,13 +4,24 @@ const MAGIC_BYTES: Record<string, Buffer[]> = {
   'image/png': [Buffer.from([0x89, 0x50, 0x4e, 0x47])],
   'image/jpeg': [Buffer.from([0xff, 0xd8, 0xff])],
   'image/gif': [Buffer.from('GIF87a'), Buffer.from('GIF89a')],
-  'image/webp': [Buffer.from('RIFF')],
   'application/pdf': [Buffer.from('%PDF')],
   'application/zip': [Buffer.from([0x50, 0x4b, 0x03, 0x04])],
 };
 
-/** MIME types that are verified binary — skip text pattern scanning for these. */
-const BINARY_MIME_TYPES = new Set(Object.keys(MAGIC_BYTES));
+/**
+ * RIFF-based formats need extra validation — RIFF is shared by WAV, AVI, WebP, etc.
+ * WebP files are: RIFF (4 bytes) + file size (4 bytes) + WEBP (4 bytes at offset 8).
+ */
+const RIFF_HEADER = Buffer.from([0x52, 0x49, 0x46, 0x46]); // RIFF
+const WEBP_MARKER = Buffer.from([0x57, 0x45, 0x42, 0x50]); // WEBP
+
+function isValidWebP(fileBuffer: Buffer): boolean {
+  if (fileBuffer.length < 12) return false;
+  return (
+    fileBuffer.subarray(0, 4).equals(RIFF_HEADER) &&
+    fileBuffer.subarray(8, 12).equals(WEBP_MARKER)
+  );
+}
 
 /**
  * Patterns that indicate potentially dangerous HTML/script content.
@@ -34,7 +45,17 @@ export function validateFileContent(
 ): void {
   const lowerMime = declaredMimeType.toLowerCase();
 
-  // Check magic bytes for known binary types
+  // WebP needs special handling — RIFF prefix is shared with WAV, AVI, etc.
+  if (lowerMime === 'image/webp') {
+    if (!isValidWebP(fileBuffer)) {
+      throw new BadRequestException(
+        'The uploaded file is invalid or corrupted. Please try again with a valid file.',
+      );
+    }
+    return;
+  }
+
+  // Check magic bytes for other known binary types
   const expectedSignatures = MAGIC_BYTES[lowerMime];
   if (expectedSignatures) {
     const matchesSignature = expectedSignatures.some((sig) =>
@@ -46,7 +67,6 @@ export function validateFileContent(
       );
     }
     // Binary file passed magic byte check — skip text pattern scanning
-    // to avoid false positives from binary data matching text patterns
     return;
   }
 

apps/app/package.json

@@ -84,7 +84,7 @@
         "ai": "^6.0.116",
         "ai-elements": "^1.6.1",
         "axios": "^1.9.0",
-        "better-auth": "^1.3.27",
+        "better-auth": "^1.4.22",
         "botid": "^1.5.5",
         "canvas-confetti": "^1.9.3",
         "class-variance-authority": "^0.7.1",

apps/portal/package.json

@@ -20,7 +20,7 @@
         "@types/jszip": "^3.4.1",
         "@upstash/ratelimit": "^2.0.5",
         "archiver": "^7.0.1",
-        "better-auth": "^1.4.5",
+        "better-auth": "^1.4.22",
         "class-variance-authority": "^0.7.1",
         "geist": "^1.3.1",
         "jspdf": "^4.2.0",

package.json

@@ -92,7 +92,7 @@
     "@types/cheerio": "^1.0.0",
     "@types/react-syntax-highlighter": "^15.5.13",
     "@upstash/vector": "^1.2.2",
-    "better-auth": "1.4.5",
+    "better-auth": "1.4.22",
     "cheerio": "^1.2.0",
     "react-syntax-highlighter": "^15.6.6",
     "unpdf": "^1.4.0",

packages/auth/package.json

@@ -23,7 +23,7 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "better-auth": "^1.4.5"
+    "better-auth": "^1.4.22"
   },
   "peerDependencies": {
     "@prisma/client": ">=5.0.0"