Four request-hardening primitives wired into Express
Dshamir adds Zod validation, Pino structured logging, GlitchTip/Sentry error tracking, magic-byte MIME validation, and a strict Helmet CSP to the Express backend - all as self-contained modules that drop in without touching route logic.
The MIME validator (upload.ts) reads the first bytes of every uploaded file with file-type, checks the detected MIME against an allowlist (application/pdf, application/vnd.openxmlformats-officedocument.wordprocessingml.document, application/msword), and rejects anything else. A renamed executable claiming to be a PDF gets rejected at the buffer level, not based on the extension. One edge case: .doc files return no detected type, so the validator treats them as valid - a deliberate fallback for old-format Word documents.
The Pino logger (logger.ts) redacts req.headers.authorization, req.headers.cookie, and any field named password, secret, apiKey, api_key, or encrypted_key. The requestId middleware attaches res.locals.log as a child logger keyed to the request ID so every log line from a given request shares the same requestId field. All console.* calls across the route layer were replaced with logger.info/debug/error calls.
The error handler (errorHandler.ts) intercepts ZodErrors and returns RFC 7807 problem-detail responses: { type: "validation_error", title: "Invalid request", status: 400, errors: [...] }. Unhandled errors get { type: "server_error", status: 500 }, with the actual message visible in development and a generic string in production. GlitchTip/Sentry receives a captureException call on every 500.
The Zod validation middleware (validation.ts) takes a schema and calls schema.parse({ body, query, params }). It's nine lines. The common.ts schema file exports zodUUID, zodNonEmptyString, zodPagination, zodParamsWithId, and zodParamsWithProjectId - the shared building blocks reused throughout the fork's later route-validation work.
The CSP is strict: default-src 'self', script-src 'self', object-src 'none', frame-ancestors 'none'. style-src allows 'unsafe-inline' (common Next.js constraint), and connect-src includes the FRONTEND_URL env var for cross-origin SSE.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?