michaelshimeles · umanda · Jan 24, 2026 · Jan 24, 2026 · Jan 24, 2026 · Jan 24, 2026
diff --git a/.npmrc b/.npmrc
diff --git a/app/api/subscription/route.ts b/app/api/subscription/route.ts
@@ -5,8 +5,13 @@ import { NextResponse } from "next/server";
 
 export async function GET() {
   try {
+    const h = headers();
+    const headersObj: Record<string, string> = {};
+    for (const [key, value] of h.entries()) headersObj[key] = value;
+
     const result = await auth.api.getSession({
-      headers: await headers(),
+      headers: headersObj,
+      query: {},
     });
 
     if (!result?.session?.userId) {

diff --git a/app/api/upload-image/route.ts b/app/api/upload-image/route.ts
@@ -1,38 +1,33 @@
 import { uploadImageAssets } from "@/lib/upload-image";
-import { NextRequest, NextResponse } from "next/server";
+import { NextResponse } from "next/server";
 
-export const config = {
-  api: { bodyParser: false }, // Disable default body parsing
-};
+export const runtime = "nodejs"; // ensures Buffer + many SDKs work (not Edge)
 
-export async function POST(req: NextRequest) {
+export async function POST(req: Request) {
   try {
-    // Parse the form data
     const formData = await req.formData();
-    const file = formData.get("file") as File | null;
+    const file = formData.get("file");
 
-    if (!file) {
+    if (!(file instanceof File)) {
       return NextResponse.json({ error: "No file provided" }, { status: 400 });
     }
 
-    // Validate MIME type - only allow image files
-    const allowedMimeTypes = [
+    const allowedMimeTypes = new Set([
       "image/jpeg",
       "image/jpg",
       "image/png",
       "image/gif",
       "image/webp",
       "image/svg+xml",
-    ];
+    ]);
 
-    if (!allowedMimeTypes.includes(file.type)) {
+    if (!allowedMimeTypes.has(file.type)) {
       return NextResponse.json(
         { error: "Invalid file type. Only image files are allowed." },
         { status: 400 },
       );
     }
 
-    // Validate file size - limit to 10MB
     const maxSizeInBytes = 10 * 1024 * 1024; // 10MB
     if (file.size > maxSizeInBytes) {
       return NextResponse.json(
@@ -41,16 +36,15 @@ export async function POST(req: NextRequest) {
       );
     }
 
-    // Convert file to buffer
     const arrayBuffer = await file.arrayBuffer();
     const buffer = Buffer.from(arrayBuffer);
 
-    // Generate a unique filename with original extension
-    const fileExt = file.name.split(".").pop() || "";
-    const timestamp = Date.now();
-    const filename = `upload-${timestamp}.${fileExt || "png"}`;
+    // extension (very light sanitization)
+    const rawExt = file.name.split(".").pop()?.toLowerCase() ?? "";
+    const safeExt = rawExt.match(/^[a-z0-9]+$/) ? rawExt : "png";
+
+    const filename = `upload-${Date.now()}.${safeExt}`;
 
-    // Upload the file
     const url = await uploadImageAssets(buffer, filename);
 
     return NextResponse.json({ url });

diff --git a/app/dashboard/page.tsx b/app/dashboard/page.tsx
@@ -5,8 +5,13 @@ import { SectionCards } from "./_components/section-cards";
 import { ChartAreaInteractive } from "./_components/chart-interactive";
 
 export default async function Dashboard() {
+  const h = headers();
+  const headersObj: Record<string, string> = {};
+  for (const [key, value] of h.entries()) headersObj[key] = value;
+
   const result = await auth.api.getSession({
-    headers: await headers(), // you need to pass the headers object.
+    headers: headersObj, // you need to pass the headers object
+    query: {},
   });
 
   if (!result?.session?.userId) {

diff --git a/eslint.config.mjs b/eslint.config.mjs
@@ -1,16 +1,13 @@
+import nextCoreWebVitals from "eslint-config-next/core-web-vitals";
+import nextTypescript from "eslint-config-next/typescript";
 import { dirname } from "path";
 import { fileURLToPath } from "url";
-import { FlatCompat } from "@eslint/eslintrc";
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 
-const compat = new FlatCompat({
-  baseDirectory: __dirname,
-});
-
-const eslintConfig = [
-  ...compat.extends("next/core-web-vitals", "next/typescript"),
-];
+const eslintConfig = [...nextCoreWebVitals, ...nextTypescript, {
+  ignores: ["node_modules/**", ".next/**", "out/**", "build/**", "next-env.d.ts"]
+}];
 
 export default eslintConfig;
diff --git a/lib/subscription.ts b/lib/subscription.ts
@@ -27,8 +27,13 @@ export type SubscriptionDetailsResult = {
 
 export async function getSubscriptionDetails(): Promise<SubscriptionDetailsResult> {
   try {
+    const h = headers();
+    const headersObj: Record<string, string> = {};
+    for (const [key, value] of h.entries()) headersObj[key] = value;
+
     const session = await auth.api.getSession({
-      headers: await headers(),
+      headers: headersObj,
+      query: {},
     });
 
     if (!session?.user?.id) {