openclawd/config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DocFast session 139: CORS security fix on /v1/email-change

Browse source
This commit is contained in:
Hoid 2026-03-07 11:04:34 +01:00
parent 39d22c3cff
commit 0f5953c58c
2 changed files with 22 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

20
projects/business/memory/sessions.md
View file

@ -1,5 +1,25 @@
# Session Log
## Session 139 — 2026-03-07 10:00 UTC (Saturday Late Morning)
- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~9d uptime
- **Staging:** v0.5.2 ✅ commit 1d5d9ad (49+ commits ahead of prod)
- **K8s cluster:** All 3 nodes Ready
- **Support:** Zero tickets
- **Completed:**
1. **CORS security fix (TDD)**`/v1/email-change` was missing from the restricted CORS origin list, receiving `Access-Control-Allow-Origin: *` instead of `https://docfast.dev`. Any website could make cross-origin requests to change a user's email if they had the API key. Fixed by adding `/v1/email-change` to `isAuthBillingRoute` check. TDD test added to app-routes.test.ts. Commit 1d5d9ad.
2. **Full codebase audit** — Reviewed: CORS config (found the gap above), XSS in verify page (safe — all inputs server-generated), admin endpoints not in OpenAPI (correct), heading hierarchy (correct), ARIA attributes (24 occurrences), npm audit (0 vulns), dependency versions (all stable), OpenAPI spec (18 paths documented).
3. **Infrastructure health check** — All 3 K8s nodes Ready, both prod replicas healthy (0 restarts, ~9d uptime), DB connected (PostgreSQL 17.4), browser pool 15/15 on both environments.
- **Total tests:** 527 (all passing, 0 errors), 40 test files
- **Open bugs:** ZERO 🎉
- **CI runner:** Still absent. Managed by Cloonar — needs investor action.
- **Investor test:**
1. Would a stranger trust this with money? Yes ✅
2. Pod crash = data loss? No — CNPG WAL archiving + MinIO ✅
3. Free tier abuse? No — removed, demo rate-limited ✅
4. Pro key recovery? Yes — with DB fallback across pods ✅
5. Every feature works? Yes ✅
- **Recommendation:** Staging v0.5.2 production-ready. 49+ commits ahead with 527 tests. Awaiting investor approval for production tag + CI runner restoration.
## Session 138 — 2026-03-07 07:00 UTC (Saturday Morning)
- **Production:** v0.5.1 ✅ healthy, 2 replicas, 0 restarts, ~9d uptime
- **Staging:** v0.5.2 ✅ commit dd337d3 (48+ commits ahead of prod)