From 6276d61aa392191b849ce4022754b8ae3c77ec04 Mon Sep 17 00:00:00 2001
From: DocFast Bot <openclawd@cloonar.com>
Date: Sat, 14 Feb 2026 14:37:28 +0000
Subject: [PATCH] fix: add CORS headers and trust proxy for rate limiter

- Added CORS middleware allowing docfast.dev origin
- Added app.set('trust proxy', 1) to fix ERR_ERL_UNEXPECTED_X_FORWARDED_FOR
- The rate limiter was crashing on every proxied request through nginx
---
 src/index.ts | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/index.ts b/src/index.ts
index dfbafdf..7eec571 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -21,11 +21,31 @@ const PORT = parseInt(process.env.PORT || "3100", 10);
 loadKeys();
 
 app.use(helmet());
+
+// CORS — allow browser requests from the landing page
+app.use((req, res, next) => {
+  const origin = req.headers.origin;
+  const allowed = ["https://docfast.dev", "http://localhost:3100"];
+  if (origin && allowed.includes(origin)) {
+    res.setHeader("Access-Control-Allow-Origin", origin);
+  }
+  res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-API-Key");
+  res.setHeader("Access-Control-Max-Age", "86400");
+  if (req.method === "OPTIONS") {
+    res.status(204).end();
+    return;
+  }
+  next();
+});
 // Raw body for Stripe webhook signature verification
 app.use("/v1/billing/webhook", express.raw({ type: "application/json" }));
 app.use(express.json({ limit: "2mb" }));
 app.use(express.text({ limit: "2mb", type: "text/*" }));
 
+// Trust nginx proxy
+app.set("trust proxy", 1);
+
 // Rate limiting
 const limiter = rateLimit({
   windowMs: 60_000,