Session 45: support email, audit fixes (template validation, content-type, admin auth, waitUntil)

- Added support@docfast.dev to footer, impressum, terms, landing page, openapi.json - Fixed audit #6: Template render validates required fields (400 on missing) - Fixed audit #7: Content-Type check on markdown/URL routes (415) - Fixed audit #11: /v1/usage and /v1/concurrency now require ADMIN_API_KEY - Fixed audit Critical #3: URL convert uses domcontentloaded instead of networkidle0
2026-02-16 19:30:21 +00:00 · 2026-02-16 19:30:21 +00:00 · 59cc8f3d0e
commit 59cc8f3d0e
parent 8a86e34f91
22 changed files with 166 additions and 61 deletions
--- a/dist/index.js
+++ b/dist/index.js
@ -89,12 +89,24 @@ app.use("/v1/email-change", emailChangeRouter);
 // Authenticated routes
 app.use("/v1/convert", authMiddleware, usageMiddleware, pdfRateLimitMiddleware, convertRouter);
 app.use("/v1/templates", authMiddleware, usageMiddleware, templatesRouter);
-// Admin: usage stats
-app.get("/v1/usage", authMiddleware, (req, res) => {
+// Admin: usage stats (admin key required)
+const adminAuth = (req, res, next) => {
+    const adminKey = process.env.ADMIN_API_KEY;
+    if (!adminKey) {
+        res.status(503).json({ error: "Admin access not configured" });
+        return;
+    }
+    if (req.apiKeyInfo?.key !== adminKey) {
+        res.status(403).json({ error: "Admin access required" });
+        return;
+    }
+    next();
+};
+app.get("/v1/usage", authMiddleware, adminAuth, (req, res) => {
    res.json(getUsageStats(req.apiKeyInfo?.key));
 });
-// Admin: concurrency stats
-app.get("/v1/concurrency", authMiddleware, (_req, res) => {
+// Admin: concurrency stats (admin key required)
+app.get("/v1/concurrency", authMiddleware, adminAuth, (_req, res) => {
    res.json(getConcurrencyStats());
 });
 // Email verification endpoint
@ -246,27 +258,6 @@ app.use((req, res) => {
 </html>`);
    }
 });
-// 404 handler — must be after all routes
-app.use((req, res) => {
-    if (req.path.startsWith("/v1/")) {
-        res.status(404).json({ error: "Not found" });
-    }
-    else {
-        const accepts = req.headers.accept || "";
-        if (accepts.includes("text/html")) {
-            res.status(404).send(`<!DOCTYPE html>
-<html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1">
-<title>404 — DocFast</title>
-<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>⚡</text></svg>">
-<style>*{margin:0;padding:0;box-sizing:border-box}body{font-family:'Inter',-apple-system,sans-serif;background:#0b0d11;color:#e4e7ed;min-height:100vh;display:flex;align-items:center;justify-content:center}
-.c{text-align:center}.c h1{font-size:4rem;font-weight:800;color:#34d399;margin-bottom:12px}.c p{color:#7a8194;margin-bottom:24px}.c a{color:#34d399;text-decoration:none}.c a:hover{color:#5eead4}</style>
-</head><body><div class="c"><h1>404</h1><p>Page not found.</p><p><a href="/">← Back to DocFast</a> · <a href="/docs">API Docs</a></p></div></body></html>`);
-        }
-        else {
-            res.status(404).json({ error: "Not found" });
-        }
-    }
-});
 async function start() {
    // Initialize PostgreSQL
    await initDatabase();