From 6cbd40f7ea61a5ab74039799e93b5d673bcc0256 Mon Sep 17 00:00:00 2001 From: Tofik Hasanov Date: Mon, 22 Jun 2026 16:35:39 -0400 Subject: [PATCH] fix(background-checks): drop HEIC/HEIF from manual upload accept list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR #3233 widened the background-check attach form to accept images, but included image/heic + image/heif. The API (validateFileContent in apps/api/src/utils/file-type-validation.ts) only validates PNG/JPEG/WEBP/PDF, so a HEIC/HEIF upload would be rejected server-side — and most browsers can't display HEIC, so it would store unviewable evidence even if accepted. Align the form's accepted types (and helper/error copy) with what the API actually takes: PDF, PNG, JPEG, WEBP. PDFs and the other image formats are unaffected. Note: candidates' own ID uploads already handle HEIC by converting it to JPEG in the browser (apps/web normalizeIdImage). This admin attach form does no such conversion, so offering HEIC here was misleading. If HEIC support is wanted on this form later, the right fix is client-side conversion, not raw HEIC at the API. Co-Authored-By: Claude Opus 4.8 --- .../BackgroundCheckAttachForm.test.tsx | 5 ++++- .../components/BackgroundCheckAttachForm.tsx | 16 +++++++++------- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/BackgroundCheckAttachForm.test.tsx b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/BackgroundCheckAttachForm.test.tsx index 137a2d8ab..ae383e2e9 100644 --- a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/BackgroundCheckAttachForm.test.tsx +++ b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/BackgroundCheckAttachForm.test.tsx @@ -41,7 +41,10 @@ describe('BackgroundCheckAttachForm', () => { expect(accept).toContain('application/pdf'); expect(accept).toMatch(/image\/png/); expect(accept).toMatch(/image\/jpeg/); - expect(accept).toMatch(/image\/heic/); + expect(accept).toMatch(/image\/webp/); + // HEIC/HEIF intentionally excluded — the API can't validate/store them and + // most browsers can't display them; offering them would fail server-side. + expect(accept).not.toMatch(/image\/heic/); }); it('still accepts a PDF report', () => { diff --git a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/BackgroundCheckAttachForm.tsx b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/BackgroundCheckAttachForm.tsx index eb004434a..a5ff2bc6c 100644 --- a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/BackgroundCheckAttachForm.tsx +++ b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/BackgroundCheckAttachForm.tsx @@ -44,19 +44,21 @@ interface AttachFormProps { const MAX_FILE_BYTES = 25 * 1024 * 1024; // Reports are usually PDFs, but the manual identity fallback is a passport -// photo (JPEG/PNG/HEIC). The API accepts these same types — see -// validateFileContent in apps/api/src/utils/file-type-validation.ts. +// photo (JPEG/PNG/WEBP). Keep this in lock-step with what the API actually +// accepts — validateFileContent in apps/api/src/utils/file-type-validation.ts. +// HEIC/HEIF are intentionally excluded: the API can't validate/store them and +// most browsers can't display them, so they'd fail server-side or store +// unviewable evidence. (Candidates' own uploads convert HEIC->JPEG in the +// browser via apps/web normalizeIdImage; this admin attach form does not.) const ACCEPTED_MIME_TYPES = [ 'application/pdf', 'image/png', 'image/jpeg', 'image/webp', - 'image/heic', - 'image/heif', ]; const FILE_ACCEPT_ATTR = - 'application/pdf,image/png,image/jpeg,image/webp,image/heic,image/heif,.pdf,.png,.jpg,.jpeg,.webp,.heic,.heif'; + 'application/pdf,image/png,image/jpeg,image/webp,.pdf,.png,.jpg,.jpeg,.webp'; export function BackgroundCheckAttachForm({ values, @@ -81,7 +83,7 @@ export function BackgroundCheckAttachForm({ return; } if (file.type && !ACCEPTED_MIME_TYPES.includes(file.type)) { - setFileError('Upload a PDF or image file (PDF, PNG, JPG, HEIC).'); + setFileError('Upload a PDF or image file (PDF, PNG, JPG, WEBP).'); return; } setFileError(null); @@ -178,7 +180,7 @@ export function BackgroundCheckAttachForm({ )} - PDF or image (PNG, JPG, HEIC) · up to 25 MB · stored encrypted in your evidence vault + PDF or image (PNG, JPG, WEBP) · up to 25 MB · stored encrypted in your evidence vault {fileError && (

{fileError}