Session 45: support email, audit fixes (template validation, content-type, admin auth, waitUntil)

- Added support@docfast.dev to footer, impressum, terms, landing page, openapi.json
- Fixed audit #6: Template render validates required fields (400 on missing)
- Fixed audit #7: Content-Type check on markdown/URL routes (415)
- Fixed audit #11: /v1/usage and /v1/concurrency now require ADMIN_API_KEY
- Fixed audit Critical #3: URL convert uses domcontentloaded instead of networkidle0

src/index.ts

@@ -103,13 +103,19 @@ app.use("/v1/email-change", emailChangeRouter);
 app.use("/v1/convert", authMiddleware, usageMiddleware, pdfRateLimitMiddleware, convertRouter);
 app.use("/v1/templates", authMiddleware, usageMiddleware, templatesRouter);
 
-// Admin: usage stats
-app.get("/v1/usage", authMiddleware, (req: any, res) => {
+// Admin: usage stats (admin key required)
+const adminAuth = (req: any, res: any, next: any) => {
+  const adminKey = process.env.ADMIN_API_KEY;
+  if (!adminKey) { res.status(503).json({ error: "Admin access not configured" }); return; }
+  if (req.apiKeyInfo?.key !== adminKey) { res.status(403).json({ error: "Admin access required" }); return; }
+  next();
+};
+app.get("/v1/usage", authMiddleware, adminAuth, (req: any, res: any) => {
   res.json(getUsageStats(req.apiKeyInfo?.key));
 });
 
-// Admin: concurrency stats
-app.get("/v1/concurrency", authMiddleware, (_req, res) => {
+// Admin: concurrency stats (admin key required)
+app.get("/v1/concurrency", authMiddleware, adminAuth, (_req: any, res: any) => {
   res.json(getConcurrencyStats());
 });