diff --git a/dist/index.js b/dist/index.js index 26ac9a1..69ceb0e 100644 --- a/dist/index.js +++ b/dist/index.js @@ -86,8 +86,9 @@ app.use("/v1/signup", signupRouter); app.use("/v1/recover", recoverRouter); app.use("/v1/billing", billingRouter); app.use("/v1/email-change", emailChangeRouter); -// Authenticated routes -app.use("/v1/convert", authMiddleware, usageMiddleware, pdfRateLimitMiddleware, convertRouter); +// Authenticated routes — conversion routes get tighter body limits (500KB) +const convertBodyLimit = express.json({ limit: "500kb" }); +app.use("/v1/convert", convertBodyLimit, authMiddleware, usageMiddleware, pdfRateLimitMiddleware, convertRouter); app.use("/v1/templates", authMiddleware, usageMiddleware, templatesRouter); // Admin: usage stats (admin key required) const adminAuth = (req, res, next) => { diff --git a/dist/routes/billing.js b/dist/routes/billing.js index 9fe5a24..ead3a18 100644 --- a/dist/routes/billing.js +++ b/dist/routes/billing.js @@ -16,6 +16,8 @@ function getStripe() { return _stripe; } const router = Router(); +// Track provisioned session IDs to prevent duplicate key creation +const provisionedSessions = new Set(); // Create a Stripe Checkout session for Pro subscription router.post("/checkout", async (_req, res) => { try { @@ -41,6 +43,11 @@ router.get("/success", async (req, res) => { res.status(400).json({ error: "Missing session_id" }); return; } + // Prevent duplicate provisioning from same session + if (provisionedSessions.has(sessionId)) { + res.status(409).send("This checkout session has already been used to provision a key. If you lost your key, use the key recovery feature."); + return; + } try { const session = await getStripe().checkout.sessions.retrieve(sessionId); const customerId = session.customer; @@ -50,6 +57,7 @@ router.get("/success", async (req, res) => { return; } const keyInfo = await createProKey(email, customerId); + provisionedSessions.add(session.id); // Return a nice HTML page instead of raw JSON res.send(` Welcome to DocFast Pro! @@ -131,6 +139,7 @@ router.post("/webhook", async (req, res) => { break; } const keyInfo = await createProKey(email, customerId); + provisionedSessions.add(session.id); logger.info({ email, customerId }, "checkout.session.completed: provisioned pro key"); break; } diff --git a/public/impressum.html b/public/impressum.html index d3c3460..7c13fc2 100644 --- a/public/impressum.html +++ b/public/impressum.html @@ -96,8 +96,9 @@ footer .container { display: flex; justify-content: space-between; align-items:
Home Docs - API Status + API Status Change Email + Support Impressum Privacy Policy Terms of Service diff --git a/public/index.html b/public/index.html index 35ca451..fd15056 100644 --- a/public/index.html +++ b/public/index.html @@ -421,8 +421,9 @@ html, body {
Home Docs - API Status + API Status Change Email + Support Impressum Privacy Policy Terms of Service diff --git a/public/privacy.html b/public/privacy.html index 40adeed..9a30228 100644 --- a/public/privacy.html +++ b/public/privacy.html @@ -178,8 +178,9 @@ footer .container { display: flex; justify-content: space-between; align-items:
Home Docs - API Status + API Status Change Email + Support Impressum Privacy Policy Terms of Service diff --git a/public/terms.html b/public/terms.html index cb4131f..7a0ad71 100644 --- a/public/terms.html +++ b/public/terms.html @@ -138,7 +138,7 @@ footer .container { display: flex; justify-content: space-between; align-items:

5.2 Performance

@@ -250,8 +250,9 @@ footer .container { display: flex; justify-content: space-between; align-items:
Home Docs - API Status + API Status Change Email + Support Impressum Privacy Policy Terms of Service diff --git a/src/index.ts b/src/index.ts index e52ef4a..1906d6c 100644 --- a/src/index.ts +++ b/src/index.ts @@ -99,8 +99,9 @@ app.use("/v1/recover", recoverRouter); app.use("/v1/billing", billingRouter); app.use("/v1/email-change", emailChangeRouter); -// Authenticated routes -app.use("/v1/convert", authMiddleware, usageMiddleware, pdfRateLimitMiddleware, convertRouter); +// Authenticated routes — conversion routes get tighter body limits (500KB) +const convertBodyLimit = express.json({ limit: "500kb" }); +app.use("/v1/convert", convertBodyLimit, authMiddleware, usageMiddleware, pdfRateLimitMiddleware, convertRouter); app.use("/v1/templates", authMiddleware, usageMiddleware, templatesRouter); // Admin: usage stats (admin key required) diff --git a/src/routes/billing.ts b/src/routes/billing.ts index 1fc54df..1af44f5 100644 --- a/src/routes/billing.ts +++ b/src/routes/billing.ts @@ -19,6 +19,9 @@ function getStripe(): Stripe { const router = Router(); +// Track provisioned session IDs to prevent duplicate key creation +const provisionedSessions = new Set(); + // Create a Stripe Checkout session for Pro subscription router.post("/checkout", async (_req: Request, res: Response) => { try { @@ -47,6 +50,12 @@ router.get("/success", async (req: Request, res: Response) => { return; } + // Prevent duplicate provisioning from same session + if (provisionedSessions.has(sessionId)) { + res.status(409).send("This checkout session has already been used to provision a key. If you lost your key, use the key recovery feature."); + return; + } + try { const session = await getStripe().checkout.sessions.retrieve(sessionId); const customerId = session.customer as string; @@ -58,6 +67,7 @@ router.get("/success", async (req: Request, res: Response) => { } const keyInfo = await createProKey(email, customerId); + provisionedSessions.add(session.id); // Return a nice HTML page instead of raw JSON res.send(` @@ -142,6 +152,7 @@ router.post("/webhook", async (req: Request, res: Response) => { } const keyInfo = await createProKey(email, customerId); + provisionedSessions.add(session.id); logger.info({ email, customerId }, "checkout.session.completed: provisioned pro key"); break; } diff --git a/src/routes/convert.ts b/src/routes/convert.ts index 46e5447..2f38e27 100644 --- a/src/routes/convert.ts +++ b/src/routes/convert.ts @@ -1,5 +1,5 @@ import { Router, Request, Response } from "express"; -import { renderPdf, renderUrlPdf, getPoolStats } from "../services/browser.js"; +import { renderPdf, renderUrlPdf } from "../services/browser.js"; import { markdownToHtml, wrapHtml } from "../services/markdown.js"; import dns from "node:dns/promises"; import logger from "../services/logger.js";