fix: swagger UI symlink, CSP headers, email-change route, updateKeyEmail

- Fix swagger-ui symlink in Dockerfile (was pointing to /opt/docfast instead of /app) - Add CSP directives to allow inline scripts/styles and Google Fonts - Add email-change.ts route with rate limiting (3/hr) and verification - Add updateKeyEmail to keys service - Add email-change route to index.ts with CORS support
2026-02-14 22:29:56 +00:00 · 2026-02-14 22:29:56 +00:00 · 6aa1fa4d84
commit 6aa1fa4d84
parent 5f10977705
5 changed files with 127 additions and 3 deletions
--- a/src/index.ts
+++ b/src/index.ts
@ -9,6 +9,7 @@ import { healthRouter } from "./routes/health.js";
 import { signupRouter } from "./routes/signup.js";
 import { recoverRouter } from "./routes/recover.js";
 import { billingRouter } from "./routes/billing.js";
+import { emailChangeRouter } from "./routes/email-change.js";
 import { authMiddleware } from "./middleware/auth.js";
 import { usageMiddleware } from "./middleware/usage.js";
 import { getUsageStats } from "./middleware/usage.js";
@ -22,13 +23,25 @@ const PORT = parseInt(process.env.PORT || "3100", 10);
 // Load API keys from persistent store
 loadKeys();

-app.use(helmet({ crossOriginResourcePolicy: { policy: "cross-origin" } }));
+app.use(helmet({
+  crossOriginResourcePolicy: { policy: "cross-origin" },
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", "'unsafe-inline'"],
+      styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
+      imgSrc: ["'self'", "data:"],
+      fontSrc: ["'self'", "https://fonts.gstatic.com"],
+    }
+  }
+}));

 // Differentiated CORS middleware
 app.use((req, res, next) => {
  const isAuthBillingRoute = req.path.startsWith('/v1/signup') || 
                             req.path.startsWith('/v1/recover') || 
-                             req.path.startsWith('/v1/billing');
+                             req.path.startsWith('/v1/billing') ||
+                             req.path.startsWith('/v1/email-change');
  
  if (isAuthBillingRoute) {
    // Auth/billing routes: restrict to docfast.dev
@ -71,6 +84,7 @@ app.use("/health", healthRouter);
 app.use("/v1/signup", signupRouter);
 app.use("/v1/recover", recoverRouter);
 app.use("/v1/billing", billingRouter);
+app.use("/v1/email-change", emailChangeRouter);

 // Authenticated routes
 app.use("/v1/convert", authMiddleware, usageMiddleware, convertRouter);