feat: upgrade to zod v4 and improve r2 file validation (#21)

- Upgrade zod dependency from v3 to v4
- Update zod imports and type usage in r2.ts
- Bump drizzle-orm
- Added sanitization on filename and file metadata sent in headers

Author: axuj

examples/hono/package.json

@@ -18,7 +18,7 @@
         "@cloudflare/workers-types": "^4.20250606.0",
         "better-auth": "^1.2.8",
         "better-auth-cloudflare": "file:../../",
-        "drizzle-orm": "^0.43.1",
+        "drizzle-orm": "^0.44.5",
         "hono": "^4.7.11"
     },
     "devDependencies": {

examples/opennextjs/package.json

@@ -31,7 +31,7 @@
         "better-auth-cloudflare": "file:../../",
         "class-variance-authority": "^0.7.1",
         "clsx": "^2.1.1",
-        "drizzle-orm": "^0.43.1",
+        "drizzle-orm": "^0.44.5",
         "lucide-react": "^0.509.0",
         "next": "15.3.1",
         "react": "^19.0.0",

package.json

@@ -33,8 +33,8 @@
         "format": "prettier --write ."
     },
     "dependencies": {
-        "drizzle-orm": "^0.43.1",
-        "zod": "^3.24.2"
+        "drizzle-orm": "^0.44.5",
+        "zod": "^4.1.5"
     },
     "peerDependencies": {
         "better-auth": "^1.1.21"

src/client.ts

@@ -1,6 +1,22 @@
 import type { BetterAuthClientPlugin } from "better-auth/client";
 import type { cloudflare } from ".";
 
+/**
+ * Sanitizes a string to ensure it only contains ASCII characters
+ * This prevents ByteString conversion errors in Cloudflare Workers
+ * if unicode or other non-ASCII characters are present
+ */
+function sanitizeHeaderValue(value: string): string {
+    return value
+        .split("")
+        .map(char => {
+            const code = char.charCodeAt(0);
+            // Only allow ASCII characters (0-127)
+            return code <= 127 ? char : "?";
+        })
+        .join("");
+}
+
 /**
  * Cloudflare client plugin for Better Auth
  */
@@ -15,11 +31,11 @@ export const cloudflareClient = () => {
                  */
                 uploadFile: async (file: File, metadata?: Record<string, any>) => {
                     const headers: Record<string, string> = {
-                        "x-filename": file.name,
+                        "x-filename": sanitizeHeaderValue(file.name),
                     };
 
                     if (metadata && Object.keys(metadata).length > 0) {
-                        headers["x-file-metadata"] = JSON.stringify(metadata);
+                        headers["x-file-metadata"] = sanitizeHeaderValue(JSON.stringify(metadata));
                     }
 
                     return $fetch("/files/upload-raw", {

src/r2.ts

@@ -1,7 +1,7 @@
 import type { AuthContext } from "better-auth";
 import { createAuthEndpoint, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import type { FieldAttribute } from "better-auth/db";
-import { z, type ZodRawShape, type ZodTypeAny } from "zod";
+import { z, type ZodType } from "zod";
 import type { FileMetadata, R2Config } from "./types";
 
 export const R2_ERROR_CODES = {
@@ -86,10 +86,10 @@ function validateFileMetadata(record: any): record is FileMetadata {
  * Converts Better Auth FieldAttribute to Zod schema (same pattern as feedback plugin)
  */
 function convertFieldAttributesToZodSchema(additionalFields: Record<string, FieldAttribute>) {
-    const zodSchema: ZodRawShape = {};
+    const zodSchema: Record<string, ZodType> = {};
 
     for (const [key, value] of Object.entries(additionalFields)) {
-        let fieldSchema: ZodTypeAny;
+        let fieldSchema: ZodType;
 
         if (value.type === "string") {
             fieldSchema = z.string();
@@ -120,7 +120,7 @@ function convertFieldAttributesToZodSchema(additionalFields: Record<string, Fiel
 // Zod schemas for validation
 export const createFileMetadataSchema = (additionalFields?: Record<string, FieldAttribute>) => {
     if (!additionalFields || Object.keys(additionalFields).length === 0) {
-        return z.record(z.any()).optional();
+        return z.record(z.string(), z.any()).optional();
     }
     return convertFieldAttributesToZodSchema(additionalFields).optional();
 };
@@ -141,7 +141,7 @@ export const listFilesSchema = z
  * Creates upload schema dynamically based on additionalFields configuration
  */
 export const createUploadFileSchema = (additionalFields?: Record<string, FieldAttribute>) => {
-    const baseShape: ZodRawShape = {
+    const baseShape: Record<string, ZodType> = {
         file: z.instanceof(File),
     };
 
@@ -151,7 +151,7 @@ export const createUploadFileSchema = (additionalFields?: Record<string, FieldAt
 
     // Add additionalFields to the schema
     for (const [key, value] of Object.entries(additionalFields)) {
-        let fieldSchema: ZodTypeAny;
+        let fieldSchema: ZodType;
 
         if (value.type === "string") {
             fieldSchema = z.string();
@@ -257,7 +257,7 @@ export const createFileValidator = (config: R2Config) => {
 
             if (!result.success) {
                 // Extract detailed error information from Zod
-                const errorMessages = result.error.errors
+                const errorMessages = result.error.issues
                     .map(err => {
                         const path = err.path.length > 0 ? `${err.path.join(".")}: ` : "";
                         return `${path}${err.message}`;
@@ -268,7 +268,7 @@ export const createFileValidator = (config: R2Config) => {
                 ctx?.logger?.error(`[R2]: Metadata validation failed:`, {
                     error: detailedError,
                     metadata,
-                    zodErrors: result.error.errors,
+                    zodErrors: result.error.issues,
                 });
 
                 return error(detailedError, "INVALID_METADATA");
@@ -561,13 +561,32 @@ export const createR2Endpoints = (
                     }
 
                     // Get filename and metadata from headers
-                    const filename = ctx.request?.headers?.get("x-filename");
-                    const metadataHeader = ctx.request?.headers?.get("x-file-metadata");
+                    const rawFilename = ctx.request?.headers?.get("x-filename");
+                    const rawMetadataHeader = ctx.request?.headers?.get("x-file-metadata");
 
-                    if (!filename) {
+                    if (!rawFilename) {
                         throw new Error("x-filename header is required");
                     }
 
+                    // Sanitize header values to ensure it only contains ASCII characters
+                    const filename = rawFilename
+                        .split("")
+                        .map(char => {
+                            const code = char.charCodeAt(0);
+                            return code <= 127 ? char : "?";
+                        })
+                        .join("");
+
+                    const metadataHeader = rawMetadataHeader
+                        ? rawMetadataHeader
+                              .split("")
+                              .map(char => {
+                                  const code = char.charCodeAt(0);
+                                  return code <= 127 ? char : "?";
+                              })
+                              .join("")
+                        : undefined;
+
                     // Parse metadata from headers
                     let additionalFields: Record<string, any> = {};
                     if (metadataHeader) {