openclawd/docfast
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: add /v1/email-change to restricted CORS origin list
All checks were successful
Build & Deploy to Staging / Build & Deploy to Staging (push) Successful in 12m55s
Details

Browse source 
/v1/email-change was missing from the restricted CORS list, getting
wildcard Access-Control-Allow-Origin: * instead of being restricted to
https://docfast.dev like other account management routes (signup,
recover, billing, demo). TDD: test added to app-routes.test.ts.
This commit is contained in:
DocFast CEO 2026-03-07 11:03:56 +01:00
parent dd337d30b5
commit 1d5d9adf08
2 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/__tests__/app-routes.test.ts
View file

@ -59,7 +59,7 @@ describe("App-level routes", () => {
describe("CORS behavior", () => {
it("returns restricted origin for auth routes", async () => {
for (const path of ["/v1/signup", "/v1/recover", "/v1/billing", "/v1/demo"]) {
for (const path of ["/v1/signup", "/v1/recover", "/v1/billing", "/v1/demo", "/v1/email-change"]) {
const res = await request(app).get(path);
expect(res.headers["access-control-allow-origin"]).toBe("https://docfast.dev");
}

3
src/index.ts
View file

@ -61,7 +61,8 @@ app.use((req, res, next) => {
const isAuthBillingRoute = req.path.startsWith('/v1/signup') ||
req.path.startsWith('/v1/recover') ||
req.path.startsWith('/v1/billing') ||
req.path.startsWith('/v1/demo');
req.path.startsWith('/v1/demo') ||
req.path.startsWith('/v1/email-change');
if (isAuthBillingRoute) {
res.setHeader("Access-Control-Allow-Origin", "https://docfast.dev");