fix: add /v1/email-change to restricted CORS origin list

/v1/email-change was missing from the restricted CORS list, getting wildcard Access-Control-Allow-Origin: * instead of being restricted to https://docfast.dev like other account management routes (signup, recover, billing, demo). TDD: test added to app-routes.test.ts.
2026-03-07 11:03:56 +01:00 · 2026-03-07 11:03:56 +01:00 · 1d5d9adf08
commit 1d5d9adf08
parent dd337d30b5
2 changed files with 3 additions and 2 deletions
--- a/src/tests/app-routes.test.ts
+++ b/src/tests/app-routes.test.ts
@ -59,7 +59,7 @@ describe("App-level routes", () => {
  describe("CORS behavior", () => {
    it("returns restricted origin for auth routes", async () => {
-      for (const path of ["/v1/signup", "/v1/recover", "/v1/billing", "/v1/demo"]) {
+      for (const path of ["/v1/signup", "/v1/recover", "/v1/billing", "/v1/demo", "/v1/email-change"]) {
        const res = await request(app).get(path);
        expect(res.headers["access-control-allow-origin"]).toBe("https://docfast.dev");
      }
--- a/src/index.ts
+++ b/src/index.ts
@ -61,7 +61,8 @@ app.use((req, res, next) => {
  const isAuthBillingRoute = req.path.startsWith('/v1/signup') || 
                             req.path.startsWith('/v1/recover') || 
                             req.path.startsWith('/v1/billing') ||
-                             req.path.startsWith('/v1/demo');
+                             req.path.startsWith('/v1/demo') ||
                             req.path.startsWith('/v1/email-change');
  if (isAuthBillingRoute) {
    res.setHeader("Access-Control-Allow-Origin", "https://docfast.dev");