Bug Summary
uploadCommunityLogo in src/features/Auth/v1/utils/signup.ts is explicitly marked as a simulation that encodes any uploaded file as a base64 data: URL and returns it as the logo value:
export async function uploadCommunityLogo(file: File): Promise<string> {
// SIMULATION: If you need to switch to a real API, change this implementation
return new Promise((resolve) => {
const reader = new FileReader();
reader.onload = () => resolve(reader.result as string);
reader.readAsDataURL(file); // no size check, no type check
});
}This data URL is then included in the signup form payload sent to /api/v1/auth/signup-community. Two issues:
-
No file size limit: A user can select a 50 MB PNG. FileReader.readAsDataURL() succeeds, producing a ~67 MB base64 string (base64 overhead). This string is then embedded in the JSON request body sent to the API. The backend must parse a ~67 MB request body per signup attempt.
-
No file type validation: Any file (executables, PDFs, ZIP archives) can be passed to this function. readAsDataURL() encodes anything. The resulting string may later be rendered in an <img src={...}> tag, which silently fails for non-image types rather than warning the user.
The comment acknowledges this is a simulation ("Replace with real FormData upload"), but the stub ships with no guards in the meantime.
Expected Behavior
uploadCommunityLogo should validate that:
file.size is within a reasonable limit (for example, 2 MB).file.type is one of ["image/jpeg", "image/png", "image/webp"].
Both checks should throw an error before FileReader is invoked.
Actual Behavior
Any file of any size and type is encoded and included in the signup payload.
Affected File
src/features/Auth/v1/utils/signup.ts, uploadCommunityLogo function.
@NexGenStudioDev I would like to work on this issue. Could you please assign/ it to me? Contributing under NSoC '26.
Bug Summary
uploadCommunityLogoinsrc/features/Auth/v1/utils/signup.tsis explicitly marked as a simulation that encodes any uploaded file as a base64data:URL and returns it as the logo value:This data URL is then included in the signup form payload sent to
/api/v1/auth/signup-community. Two issues:No file size limit: A user can select a 50 MB PNG.
FileReader.readAsDataURL()succeeds, producing a ~67 MB base64 string (base64 overhead). This string is then embedded in the JSON request body sent to the API. The backend must parse a ~67 MB request body per signup attempt.No file type validation: Any file (executables, PDFs, ZIP archives) can be passed to this function.
readAsDataURL()encodes anything. The resulting string may later be rendered in an<img src={...}>tag, which silently fails for non-image types rather than warning the user.The comment acknowledges this is a simulation ("Replace with real FormData upload"), but the stub ships with no guards in the meantime.
Expected Behavior
uploadCommunityLogoshould validate that:file.sizeis within a reasonable limit (for example, 2 MB).file.typeis one of["image/jpeg", "image/png", "image/webp"].Both checks should throw an error before
FileReaderis invoked.Actual Behavior
Any file of any size and type is encoded and included in the signup payload.
Affected File
src/features/Auth/v1/utils/signup.ts,uploadCommunityLogofunction.@NexGenStudioDev I would like to work on this issue. Could you please assign/ it to me? Contributing under NSoC '26.