From 90b489ee7c63c301107d6374d4b3f2b8e4060fe5 Mon Sep 17 00:00:00 2001
From: Mehran <abdullahabdullah6639@gmail.com>
Date: Fri, 22 May 2026 20:44:01 +0530
Subject: [PATCH 1/2] fix: breadcrumb z-index to prevent completion mark 
 overlapping sticky header

---
 pnpm-workspace.yaml           | 6 ++++++
 src/components/CourseView.tsx | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 pnpm-workspace.yaml

diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
new file mode 100644
index 000000000..0a8832395
--- /dev/null
+++ b/pnpm-workspace.yaml
@@ -0,0 +1,6 @@
+allowBuilds:
+  '@prisma/client': true
+  '@prisma/engines': true
+  bcrypt: true
+  esbuild: true
+  prisma: true
diff --git a/src/components/CourseView.tsx b/src/components/CourseView.tsx
index 0646bc81f..8a4027c38 100644
--- a/src/components/CourseView.tsx
+++ b/src/components/CourseView.tsx
@@ -40,7 +40,7 @@ export const CourseView = ({
 
   return (
     <div className="relative flex w-full flex-col gap-8 pb-16 pt-8 xl:pt-[9px]">
-      <div className="sticky top-[73px] z-10 flex flex-col gap-4 bg-background py-2 xl:pt-2">
+      <div className="sticky top-[73px] z-20 flex flex-col gap-4 bg-background py-2 xl:pt-2">
         <BreadCrumbComponent
           course={course}
           contentType={contentType}

From 88c6c5e94e23da101235c4c7e9c7591ac1016549 Mon Sep 17 00:00:00 2001
From: Mehran <abdullahabdullah6639@gmail.com>
Date: Fri, 22 May 2026 22:17:14 +0530
Subject: [PATCH 2/2] fix: strip client-supplied 'g' header in withMobileAuth
 to prevent identity spoofing

---
 src/middleware.ts | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/middleware.ts b/src/middleware.ts
index ffae84018..603775f86 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -29,8 +29,17 @@ export const verifyJWT = async (token: string): Promise<JWTPayload | null> => {
 };
 
 export const withMobileAuth = async (req: RequestWithUser) => {
-  if (req.headers.get('Auth-Key')) {
-    return NextResponse.next();
+
+  const authKey=req.headers.get('Auth-Key');
+   
+  if (authKey && authKey===process.env.APPX_AUTH_KEY) {
+      const newHeaders = new Headers(req.headers);
+      newHeaders.delete('g');
+      return NextResponse.next({
+      request: {
+        headers: newHeaders,
+      },
+    });
   }
   const token = req.headers.get('Authorization');