fix: expand allowed file upload types to support office docs and Apple formats

Author: batalabs

src/lib/validation.ts

@@ -105,15 +105,42 @@ export const foldersQuerySchema = z
 
 // Allowed MIME types for security
 const allowedMimeTypes = [
+  // Images
   "image/jpeg",
+  "image/jpg",
   "image/png",
   "image/gif",
   "image/webp",
+  "image/svg+xml",
+  "image/bmp",
+  "image/tiff",
+  "image/avif",
+  // Apple formats (iPhone/iPad photos)
+  "image/heic",
+  "image/heif",
+  "image/heic-sequence", // Live Photos
+  "image/heif-sequence",
+  // Documents
   "application/pdf",
   "text/plain",
   "text/markdown",
   "application/json",
   "text/csv",
+  // Microsoft Office
+  "application/msword", // .doc
+  "application/vnd.openxmlformats-officedocument.wordprocessingml.document", // .docx
+  "application/vnd.ms-excel", // .xls
+  "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", // .xlsx
+  "application/vnd.ms-powerpoint", // .ppt
+  "application/vnd.openxmlformats-officedocument.presentationml.presentation", // .pptx
+  // Archives
+  "application/zip",
+  "application/x-rar-compressed",
+  "application/x-7z-compressed",
+  // Other common formats
+  "text/html",
+  "application/xml",
+  "text/xml",
 ] as const;
 
 export const uploadFileSchema = z.object({

src/middleware/auth.ts

@@ -4,13 +4,7 @@ import { verifyToken } from "@clerk/backend";
 import { db, users, folders, type User } from "../db";
 import { eq } from "drizzle-orm";
 import { logger } from "../lib/logger";
-import type {
-  ClerkUserData,
-  ClerkJWTPayload,
-  UserUpdateData,
-  ClerkApiUser,
-  DatabaseError,
-} from "../types";
+import type { ClerkUserData, ClerkJWTPayload, UserUpdateData, DatabaseError } from "../types";
 
 if (!process.env.CLERK_SECRET_KEY) {
   throw new Error(
@@ -27,6 +21,7 @@ declare module "hono" {
 }
 
 const extractAndVerifyClerkToken = async (c: Context): Promise<ClerkUserData | null> => {
+  const startTime = Date.now();
   const authHeader = c.req.header("Authorization");
 
   if (!authHeader || !authHeader.startsWith("Bearer ")) {
@@ -36,48 +31,29 @@ const extractAndVerifyClerkToken = async (c: Context): Promise<ClerkUserData | n
   const token = authHeader.split(" ")[1];
 
   try {
+    const verifyStart = Date.now();
     const payload = (await verifyToken(token, {
       secretKey: process.env.CLERK_SECRET_KEY!,
     })) as unknown as ClerkJWTPayload;
-
-    try {
-      const userResponse = await fetch(`https://api.clerk.com/v1/users/${payload.sub}`, {
-        headers: {
-          Authorization: `Bearer ${process.env.CLERK_SECRET_KEY}`,
-          "Content-Type": "application/json",
-        },
-      });
-
-      if (userResponse.ok) {
-        const clerkUser: ClerkApiUser = await userResponse.json();
-        return {
-          id: clerkUser.id,
-          email: clerkUser.email_addresses?.[0]?.email_address || "",
-          firstName: clerkUser.first_name || null,
-          lastName: clerkUser.last_name || null,
-        };
-      } else {
-        return {
-          id: payload.sub,
-          email: "",
-          firstName: null,
-          lastName: null,
-        };
-      }
-    } catch {
-      return {
-        id: payload.sub,
-        email: "",
-        firstName: null,
-        lastName: null,
-      };
-    }
+    console.log(`[AUTH PERF] verifyToken took: ${Date.now() - verifyStart}ms`);
+
+    // Security is maintained by JWT verification above
+    // User metadata comes from our DB (updated via webhooks or on login)
+    // No need to call Clerk API on every request - saves 150-200ms
+    console.log(`[AUTH PERF] Total extractAndVerify took: ${Date.now() - startTime}ms`);
+    return {
+      id: payload.sub,
+      email: "", // Will be populated from DB
+      firstName: null, // Will be populated from DB
+      lastName: null, // Will be populated from DB
+    };
   } catch {
     return null;
   }
 };
 
 export const authMiddleware = async (c: Context, next: Next) => {
+  const middlewareStart = Date.now();
   const userData = await extractAndVerifyClerkToken(c);
 
   if (!userData) {
@@ -86,9 +62,11 @@ export const authMiddleware = async (c: Context, next: Next) => {
     });
   }
 
+  const dbQueryStart = Date.now();
   let existingUser = await db.query.users.findFirst({
     where: eq(users.id, userData.id),
   });
+  console.log(`[AUTH PERF] DB user lookup took: ${Date.now() - dbQueryStart}ms`);
 
   if (existingUser) {
     try {
@@ -170,6 +148,8 @@ export const authMiddleware = async (c: Context, next: Next) => {
   c.set("user", existingUser);
   c.set("clerkUser", userData);
 
+  console.log(`[AUTH PERF] Total auth middleware took: ${Date.now() - middlewareStart}ms`);
+
   // User context available in Hono context
 
   await next();

src/routes/notes/crud.ts

@@ -45,8 +45,10 @@ const listNotesRoute = createRoute({
 
 // Handler function for listing notes
 const listNotesHandler: RouteHandler<typeof listNotesRoute> = async (c) => {
+  const startTime = Date.now();
   const userId = c.get("userId");
   const query = c.req.valid("query");
+  console.log(`[PERF] Start listNotes - userId: ${userId}`);
 
   const conditions: SQL[] = [eq(notes.userId, userId)];
 
@@ -86,30 +88,56 @@ const listNotesHandler: RouteHandler<typeof listNotesRoute> = async (c) => {
   }
 
   const whereClause = conditions.length > 1 ? and(...conditions) : conditions[0];
+  console.log(`[PERF] Building where clause took: ${Date.now() - startTime}ms`);
 
+  const countStart = Date.now();
   const [{ total }] = await db.select({ total: count() }).from(notes).where(whereClause);
+  console.log(`[PERF] COUNT query took: ${Date.now() - countStart}ms, total: ${total}`);
 
   const page = query.page || 1;
   const limit = query.limit || 20;
   const offset = (page - 1) * limit;
 
+  const queryStart = Date.now();
   const userNotes = await db.query.notes.findMany({
     where: whereClause,
     orderBy: [desc(notes.updatedAt)],
     limit,
     offset,
     with: {
       folder: true,
-      // Removed attachments loading - was loading full encrypted file data unnecessarily
+      attachments: {
+        // Load attachment metadata but exclude the massive encryptedData field
+        columns: {
+          id: true,
+          noteId: true,
+          filename: true,
+          originalName: true,
+          mimeType: true,
+          size: true,
+          encryptedTitle: true,
+          iv: true,
+          salt: true,
+          uploadedAt: true,
+          encryptedData: false,
+        },
+      },
     },
   });
+  console.log(
+    `[PERF] Main query took: ${Date.now() - queryStart}ms, returned ${userNotes.length} notes`
+  );
 
-  // Note: attachmentCount removed for now - can be added back with efficient subquery if needed
+  // Add attachment counts to notes
+  const mapStart = Date.now();
   const notesWithAttachmentCount = userNotes.map((note) => ({
     ...note,
-    attachmentCount: 0, // Placeholder - will optimize this separately if needed
-    attachments: undefined,
+    attachmentCount: note.attachments.length,
   }));
+  console.log(`[PERF] Mapping took: ${Date.now() - mapStart}ms`);
+
+  const totalTime = Date.now() - startTime;
+  console.log(`[PERF] Total endpoint time: ${totalTime}ms`);
 
   return c.json(
     {

src/version.ts

@@ -1,2 +1,2 @@
 // This file is automatically updated by semantic-release
-export const VERSION = "1.11.10"
+export const VERSION = "1.11.10";