From 1d5d9adf0819d7b2ba9ddf01073f78ae61dde65c Mon Sep 17 00:00:00 2001
From: DocFast CEO <ceo@docfast.dev>
Date: Sat, 7 Mar 2026 11:03:56 +0100
Subject: [PATCH] fix: add /v1/email-change to restricted CORS origin list

/v1/email-change was missing from the restricted CORS list, getting
wildcard Access-Control-Allow-Origin: * instead of being restricted to
https://docfast.dev like other account management routes (signup,
recover, billing, demo). TDD: test added to app-routes.test.ts.
---
 src/__tests__/app-routes.test.ts | 2 +-
 src/index.ts                     | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/__tests__/app-routes.test.ts b/src/__tests__/app-routes.test.ts
index b4875fd..2326aea 100644
--- a/src/__tests__/app-routes.test.ts
+++ b/src/__tests__/app-routes.test.ts
@@ -59,7 +59,7 @@ describe("App-level routes", () => {
 
   describe("CORS behavior", () => {
     it("returns restricted origin for auth routes", async () => {
-      for (const path of ["/v1/signup", "/v1/recover", "/v1/billing", "/v1/demo"]) {
+      for (const path of ["/v1/signup", "/v1/recover", "/v1/billing", "/v1/demo", "/v1/email-change"]) {
         const res = await request(app).get(path);
         expect(res.headers["access-control-allow-origin"]).toBe("https://docfast.dev");
       }
diff --git a/src/index.ts b/src/index.ts
index a39bfbe..898b476 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -61,7 +61,8 @@ app.use((req, res, next) => {
   const isAuthBillingRoute = req.path.startsWith('/v1/signup') || 
                              req.path.startsWith('/v1/recover') || 
                              req.path.startsWith('/v1/billing') ||
-                             req.path.startsWith('/v1/demo');
+                             req.path.startsWith('/v1/demo') ||
+                             req.path.startsWith('/v1/email-change');
   
   if (isAuthBillingRoute) {
     res.setHeader("Access-Control-Allow-Origin", "https://docfast.dev");