Audit and clean up helper functions

apps/processor/src/utils/security.ts

@@ -1,4 +1,9 @@
 import path from 'path';
+// Import canonical file security utilities from @pagespace/lib
+import {
+  DANGEROUS_MIME_TYPES as LIB_DANGEROUS_MIME_TYPES,
+  isDangerousMimeType as libIsDangerousMimeType
+} from '@pagespace/lib';
 
 export const SAFE_EXTENSION_PATTERN = /^[a-z0-9]{1,8}$/i;
 export const DEFAULT_EXTENSION = '.bin';
@@ -96,22 +101,7 @@ export function sanitizeFilename(filename: string | null | undefined): string {
     || 'file';
 }
 
-/**
- * Dangerous MIME types that can execute JavaScript
- */
-export const DANGEROUS_MIME_TYPES = [
-  'text/html',
-  'application/xhtml+xml',
-  'image/svg+xml',
-  'application/xml',
-  'text/xml',
-] as const;
-
-/**
- * Check if MIME type is dangerous (can execute scripts)
- */
-export function isDangerousMimeType(mimeType: string | null | undefined): boolean {
-  if (!mimeType) return false;
-  const normalized = mimeType.toLowerCase().split(';')[0].trim();
-  return DANGEROUS_MIME_TYPES.includes(normalized as any);
-}
+// Re-export file security utilities from @pagespace/lib (canonical source)
+// These were previously duplicated here but are now consolidated
+export const DANGEROUS_MIME_TYPES = LIB_DANGEROUS_MIME_TYPES;
+export const isDangerousMimeType = libIsDangerousMimeType;

apps/web/src/app/api/account/devices/route.ts

@@ -1,5 +1,5 @@
 import { users, db, eq, deviceTokens, sql, and, isNull } from '@pagespace/db';
-import { loggers } from '@pagespace/lib/server';
+import { loggers, getClientIP } from '@pagespace/lib/server';
 import { authenticateRequestWithOptions, isAuthError } from '@/lib/auth';
 import { getUserDeviceTokens, revokeAllUserDeviceTokens, decodeDeviceToken, createDeviceTokenRecord, revokeExpiredDeviceTokens } from '@pagespace/lib/device-auth-utils';
 
@@ -142,7 +142,7 @@ export async function DELETE(req: Request) {
         {
           deviceName: currentDeviceInfo.deviceName || undefined,
           userAgent: req.headers.get('user-agent') ?? undefined,
-          ipAddress: req.headers.get('x-forwarded-for')?.split(',')[0] || req.headers.get('x-real-ip') || undefined,
+          ipAddress: getClientIP(req) !== 'unknown' ? getClientIP(req) : undefined,
         }
       );
 

apps/web/src/app/api/auth/device/refresh/route.ts

@@ -11,6 +11,7 @@ import {
   getRefreshTokenMaxAge,
   generateCSRFToken,
   getSessionIdFromJWT,
+  getClientIP,
 } from '@pagespace/lib/server';
 import { createId } from '@paralleldrive/cuid2';
 import { loggers, logAuthEvent } from '@pagespace/lib/server';
@@ -35,10 +36,7 @@ export async function POST(req: Request) {
 
     const { deviceToken, deviceId, userAgent, appVersion } = validation.data;
 
-    const clientIP =
-      req.headers.get('x-forwarded-for')?.split(',')[0] ||
-      req.headers.get('x-real-ip') ||
-      'unknown';
+    const clientIP = getClientIP(req);
 
     const deviceRecord = await validateDeviceToken(deviceToken);
     if (!deviceRecord) {

apps/web/src/app/api/auth/google/callback/route.ts

@@ -1,7 +1,7 @@
 import { users, refreshTokens } from '@pagespace/db';
 import { db, eq, or } from '@pagespace/db';
 import { z } from 'zod/v4';
-import { generateAccessToken, generateRefreshToken, getRefreshTokenMaxAge, checkRateLimit, resetRateLimit, RATE_LIMIT_CONFIGS, decodeToken, generateCSRFToken, getSessionIdFromJWT, validateOrCreateDeviceToken } from '@pagespace/lib/server';
+import { generateAccessToken, generateRefreshToken, getRefreshTokenMaxAge, checkRateLimit, resetRateLimit, RATE_LIMIT_CONFIGS, decodeToken, generateCSRFToken, getSessionIdFromJWT, validateOrCreateDeviceToken, getClientIP } from '@pagespace/lib/server';
 import { serialize } from 'cookie';
 import { createId } from '@paralleldrive/cuid2';
 import { loggers, logAuthEvent } from '@pagespace/lib/server';
@@ -94,9 +94,7 @@ export async function GET(req: Request) {
     }
 
     // Rate limiting by IP address
-    const clientIP = req.headers.get('x-forwarded-for')?.split(',')[0] || 
-                     req.headers.get('x-real-ip') || 
-                     'unknown';
+    const clientIP = getClientIP(req);
 
     const ipRateLimit = checkRateLimit(clientIP, RATE_LIMIT_CONFIGS.LOGIN);
     if (!ipRateLimit.allowed) {

apps/web/src/app/api/auth/google/signin/route.ts

@@ -1,5 +1,5 @@
 import { z } from 'zod/v4';
-import { checkRateLimit, RATE_LIMIT_CONFIGS } from '@pagespace/lib/server';
+import { checkRateLimit, RATE_LIMIT_CONFIGS, getClientIP } from '@pagespace/lib/server';
 import { loggers } from '@pagespace/lib/server';
 import crypto from 'crypto';
 
@@ -19,9 +19,7 @@ export async function POST(req: Request) {
     }
 
     // Rate limiting by IP address
-    const clientIP = req.headers.get('x-forwarded-for')?.split(',')[0] || 
-                     req.headers.get('x-real-ip') || 
-                     'unknown';
+    const clientIP = getClientIP(req);
 
     const ipRateLimit = checkRateLimit(clientIP, RATE_LIMIT_CONFIGS.LOGIN);
     if (!ipRateLimit.allowed) {

apps/web/src/app/api/auth/login/route.ts

@@ -11,6 +11,7 @@ import {
   RATE_LIMIT_CONFIGS,
   decodeToken,
   validateOrCreateDeviceToken,
+  getClientIP,
 } from '@pagespace/lib/server';
 import { serialize } from 'cookie';
 import { createId } from '@paralleldrive/cuid2';
@@ -41,9 +42,7 @@ export async function POST(req: Request) {
     const { email, password, deviceId, deviceName, deviceToken: existingDeviceToken } = validation.data;
 
     // Rate limiting by IP address and email
-    const clientIP = req.headers.get('x-forwarded-for')?.split(',')[0] || 
-                     req.headers.get('x-real-ip') || 
-                     'unknown';
+    const clientIP = getClientIP(req);
 
     const ipRateLimit = checkRateLimit(clientIP, RATE_LIMIT_CONFIGS.LOGIN);
     const emailRateLimit = checkRateLimit(email.toLowerCase(), RATE_LIMIT_CONFIGS.LOGIN);

apps/web/src/app/api/auth/logout/route.ts

@@ -1,7 +1,7 @@
 import { refreshTokens } from '@pagespace/db';
 import { db, eq } from '@pagespace/db';
 import { parse, serialize } from 'cookie';
-import { loggers, logAuthEvent } from '@pagespace/lib/server';
+import { loggers, logAuthEvent, getClientIP } from '@pagespace/lib/server';
 import { trackAuthEvent } from '@pagespace/lib/activity-tracker';
 import { revokeDeviceTokenByValue, revokeDeviceTokensByDevice } from '@pagespace/lib/device-auth-utils';
 import { authenticateRequestWithOptions, isAuthError } from '@/lib/auth';
@@ -16,9 +16,7 @@ export async function POST(req: Request) {
   const cookies = parse(cookieHeader || '');
   const refreshTokenValue = cookies.refreshToken;
 
-  const clientIP = req.headers.get('x-forwarded-for')?.split(',')[0] ||
-                   req.headers.get('x-real-ip') ||
-                   'unknown';
+  const clientIP = getClientIP(req);
 
   // Revoke device token to ensure proper device separation
   // This prevents token reuse when logging back in on different devices

apps/web/src/app/api/auth/mobile/login/route.ts

@@ -9,6 +9,7 @@ import {
   RATE_LIMIT_CONFIGS,
   decodeToken,
   validateOrCreateDeviceToken,
+  getClientIP,
 } from '@pagespace/lib/server';
 import { generateCSRFToken, getSessionIdFromJWT } from '@pagespace/lib/server';
 import { loggers, logAuthEvent } from '@pagespace/lib/server';
@@ -38,9 +39,7 @@ export async function POST(req: Request) {
     const { email, password, deviceId, platform, deviceName, appVersion, deviceToken: existingDeviceToken } = validation.data;
 
     // Rate limiting by IP address and email
-    const clientIP = req.headers.get('x-forwarded-for')?.split(',')[0] ||
-                     req.headers.get('x-real-ip') ||
-                     'unknown';
+    const clientIP = getClientIP(req);
 
     const ipRateLimit = checkRateLimit(clientIP, RATE_LIMIT_CONFIGS.LOGIN);
     const emailRateLimit = checkRateLimit(email.toLowerCase(), RATE_LIMIT_CONFIGS.LOGIN);

apps/web/src/app/api/auth/mobile/oauth/google/exchange/route.ts

@@ -58,6 +58,7 @@ import {
   generateCSRFToken,
   getSessionIdFromJWT,
   validateOrCreateDeviceToken,
+  getClientIP,
 } from '@pagespace/lib/server';
 import { loggers, logAuthEvent } from '@pagespace/lib/server';
 import { trackAuthEvent } from '@pagespace/lib/activity-tracker';
@@ -101,10 +102,7 @@ export async function POST(req: Request) {
     platform = requestPlatform;
 
     // Rate limiting by IP address
-    const clientIP =
-      req.headers.get('x-forwarded-for')?.split(',')[0] ||
-      req.headers.get('x-real-ip') ||
-      'unknown';
+    const clientIP = getClientIP(req);
 
     const ipRateLimit = checkRateLimit(clientIP, RATE_LIMIT_CONFIGS.LOGIN);
     if (!ipRateLimit.allowed) {

apps/web/src/app/api/auth/mobile/refresh/route.ts

@@ -10,6 +10,7 @@ import {
   RATE_LIMIT_CONFIGS,
   generateCSRFToken,
   getSessionIdFromJWT,
+  getClientIP,
 } from '@pagespace/lib/server';
 import { z } from 'zod/v4';
 import { loggers } from '@pagespace/lib/server';
@@ -31,10 +32,7 @@ export async function POST(req: Request) {
 
     const { deviceToken, deviceId } = validation.data;
 
-    const clientIP =
-      req.headers.get('x-forwarded-for')?.split(',')[0] ||
-      req.headers.get('x-real-ip') ||
-      'unknown';
+    const clientIP = getClientIP(req);
 
     // Rate limiting by IP address for refresh attempts
     const rateLimit = checkRateLimit(`refresh:device:${clientIP}`, RATE_LIMIT_CONFIGS.REFRESH);

apps/web/src/app/api/auth/mobile/signup/route.ts

@@ -10,6 +10,7 @@ import {
   createNotification,
   decodeToken,
   validateOrCreateDeviceToken,
+  getClientIP,
 } from '@pagespace/lib/server';
 import { generateCSRFToken, getSessionIdFromJWT } from '@pagespace/lib/server';
 import { createId } from '@paralleldrive/cuid2';
@@ -42,9 +43,7 @@ const signupSchema = z.object({
 });
 
 export async function POST(req: Request) {
-  const clientIP = req.headers.get('x-forwarded-for')?.split(',')[0] ||
-                   req.headers.get('x-real-ip') ||
-                   'unknown';
+  const clientIP = getClientIP(req);
 
   let email: string | undefined;
 

apps/web/src/app/api/auth/refresh/route.ts

@@ -1,6 +1,6 @@
 import { users, refreshTokens, deviceTokens } from '@pagespace/db';
 import { db, eq, sql, and, isNull } from '@pagespace/db';
-import { decodeToken, generateAccessToken, generateRefreshToken, getRefreshTokenMaxAge, checkRateLimit, RATE_LIMIT_CONFIGS } from '@pagespace/lib/server';
+import { decodeToken, generateAccessToken, generateRefreshToken, getRefreshTokenMaxAge, checkRateLimit, RATE_LIMIT_CONFIGS, getClientIP } from '@pagespace/lib/server';
 import { validateDeviceToken } from '@pagespace/lib/device-auth-utils';
 import { serialize } from 'cookie';
 import { parse } from 'cookie';
@@ -16,9 +16,7 @@ export async function POST(req: Request) {
   }
 
   // Rate limiting by IP address for refresh attempts
-  const clientIP = req.headers.get('x-forwarded-for')?.split(',')[0] || 
-                   req.headers.get('x-real-ip') || 
-                   'unknown';
+  const clientIP = getClientIP(req);
 
   const rateLimit = checkRateLimit(`refresh:${clientIP}`, RATE_LIMIT_CONFIGS.REFRESH);
 

apps/web/src/app/api/auth/signup/route.ts

@@ -1,7 +1,7 @@
 import { users, userAiSettings, refreshTokens, db, eq } from '@pagespace/db';
 import bcrypt from 'bcryptjs';
 import { z } from 'zod/v4';
-import { generateAccessToken, generateRefreshToken, getRefreshTokenMaxAge, checkRateLimit, resetRateLimit, RATE_LIMIT_CONFIGS, createNotification, decodeToken, validateOrCreateDeviceToken } from '@pagespace/lib/server';
+import { generateAccessToken, generateRefreshToken, getRefreshTokenMaxAge, checkRateLimit, resetRateLimit, RATE_LIMIT_CONFIGS, createNotification, decodeToken, validateOrCreateDeviceToken, getClientIP } from '@pagespace/lib/server';
 import { createId } from '@paralleldrive/cuid2';
 import { loggers, logAuthEvent } from '@pagespace/lib/server';
 import { trackAuthEvent } from '@pagespace/lib/activity-tracker';
@@ -38,9 +38,7 @@ const signupSchema = z.object({
 });
 
 export async function POST(req: Request) {
-  const clientIP = req.headers.get('x-forwarded-for')?.split(',')[0] ||
-    req.headers.get('x-real-ip') ||
-    'unknown';
+  const clientIP = getClientIP(req);
 
   let email: string | undefined;
 

apps/web/src/app/api/contact/route.ts

@@ -1,7 +1,7 @@
 import { contactSubmissions, db } from '@pagespace/db';
 import { z } from 'zod/v4';
 import { createId } from '@paralleldrive/cuid2';
-import { loggers } from '@pagespace/lib/server';
+import { loggers, getClientIP } from '@pagespace/lib/server';
 import { authenticateRequestWithOptions, isAuthError } from '@/lib/auth';
 
 const AUTH_OPTIONS = { allow: ['jwt'] as const, requireCSRF: true };
@@ -14,9 +14,7 @@ const contactSchema = z.object({
 });
 
 export async function POST(request: Request) {
-  const clientIP = request.headers.get('x-forwarded-for')?.split(',')[0] ||
-                   request.headers.get('x-real-ip') ||
-                   'unknown';
+  const clientIP = getClientIP(request);
 
   try {
     // Authenticate request (optional - allows unauthenticated contact forms)

apps/web/src/app/api/mcp-ws/route.ts

@@ -27,7 +27,7 @@ import {
   isToolExecuteMessage,
   isToolResultMessage,
 } from '@/lib/websocket';
-import { decodeToken } from '@pagespace/lib/server';
+import { decodeToken, getClientIP } from '@pagespace/lib/server';
 import { getCookieValueFromHeader } from '@/lib/utils/get-cookie-value';
 
 // Initialize cleanup interval on module load
@@ -72,8 +72,7 @@ export async function UPGRADE(
   request: NextRequest
 ) {
   const requestUrl = request.url;
-  const clientIp =
-    request.headers.get('x-forwarded-for')?.split(',')[0].trim() || 'unknown';
+  const clientIp = getClientIP(request);
 
   // SECURITY CHECK 1: Verify secure connection in production
   if (!isSecureConnection(requestUrl, request)) {

apps/web/src/app/api/track/route.ts

@@ -5,6 +5,7 @@
 
 import { NextResponse } from 'next/server';
 import { trackActivity, trackFeature, trackError } from '@pagespace/lib/activity-tracker';
+import { getClientIP } from '@pagespace/lib/server';
 import { authenticateRequestWithOptions, isAuthError } from '@/lib/auth';
 
 const AUTH_OPTIONS = { allow: ['jwt'] as const, requireCSRF: false };
@@ -19,9 +20,7 @@ export async function POST(request: Request) {
     }
 
     // Get client IP and user agent
-    const ip = request.headers.get('x-forwarded-for')?.split(',')[0] || 
-               request.headers.get('x-real-ip') || 
-               'unknown';
+    const ip = getClientIP(request);
     const userAgent = request.headers.get('user-agent') || 'unknown';
 
     // Parse tracking data

apps/web/src/app/dashboard/storage/page.tsx

@@ -36,6 +36,7 @@ import {
 import { formatDistanceToNow } from "date-fns";
 import { toast } from "sonner";
 import { fetchWithAuth } from "@/lib/auth/auth-fetch";
+import { formatBytes } from "@pagespace/lib/client-safe";
 
 interface StorageInfo {
   quota: {
@@ -100,13 +101,6 @@ const getFileIcon = (mimeType: string) => {
   return File;
 };
 
-const formatBytes = (bytes: number): string => {
-  const sizes = ['B', 'KB', 'MB', 'GB', 'TB'];
-  if (bytes === 0) return '0 B';
-  const i = Math.floor(Math.log(bytes) / Math.log(1024));
-  return `${Math.round(bytes / Math.pow(1024, i) * 100) / 100} ${sizes[i]}`;
-};
-
 export default function StorageDashboard() {
   const router = useRouter();
   const [storageInfo, setStorageInfo] = useState<StorageInfo | null>(null);