Session 45: support email, audit fixes (template validation, content-type, admin auth, waitUntil)

- Added support@docfast.dev to footer, impressum, terms, landing page, openapi.json
- Fixed audit #6: Template render validates required fields (400 on missing)
- Fixed audit #7: Content-Type check on markdown/URL routes (415)
- Fixed audit #11: /v1/usage and /v1/concurrency now require ADMIN_API_KEY
- Fixed audit Critical #3: URL convert uses domcontentloaded instead of networkidle0

src/routes/convert.ts

@@ -107,6 +107,12 @@ convertRouter.post("/html", async (req: Request & { acquirePdfSlot?: () => Promi
 convertRouter.post("/markdown", async (req: Request & { acquirePdfSlot?: () => Promise<void>; releasePdfSlot?: () => void }, res: Response) => {
   let slotAcquired = false;
   try {
+    // Reject non-JSON content types
+    const ct = req.headers["content-type"] || "";
+    if (!ct.includes("application/json")) {
+      res.status(415).json({ error: "Unsupported Content-Type. Use application/json." });
+      return;
+    }
     const body: ConvertBody =
       typeof req.body === "string" ? { markdown: req.body } : req.body;
 
@@ -151,6 +157,12 @@ convertRouter.post("/markdown", async (req: Request & { acquirePdfSlot?: () => P
 convertRouter.post("/url", async (req: Request & { acquirePdfSlot?: () => Promise<void>; releasePdfSlot?: () => void }, res: Response) => {
   let slotAcquired = false;
   try {
+    // Reject non-JSON content types
+    const ct = req.headers["content-type"] || "";
+    if (!ct.includes("application/json")) {
+      res.status(415).json({ error: "Unsupported Content-Type. Use application/json." });
+      return;
+    }
     const body = req.body as { url?: string; format?: string; landscape?: boolean; margin?: any; printBackground?: boolean; waitUntil?: string; filename?: string };
 
     if (!body.url) {