Security fixes: non-root user, signup rate limiting, differentiated CORS, persistent usage tracking

2026-02-14 17:04:55 +00:00 · 2026-02-14 17:04:55 +00:00 · 73bb041513
commit 73bb041513
parent 6a38ba4adc
5 changed files with 108 additions and 17 deletions
--- a/src/index.ts
+++ b/src/index.ts
@ -22,19 +22,30 @@ loadKeys();

 app.use(helmet({ crossOriginResourcePolicy: { policy: "cross-origin" } }));

-// CORS — allow browser requests from the landing page
+// Differentiated CORS middleware
 app.use((req, res, next) => {
-  // Allow all origins — public API
-  res.setHeader("Access-Control-Allow-Origin", "*");
+  const isAuthBillingRoute = req.path.startsWith('/v1/signup') || 
+                             req.path.startsWith('/v1/billing');
+  
+  if (isAuthBillingRoute) {
+    // Auth/billing routes: restrict to docfast.dev
+    res.setHeader("Access-Control-Allow-Origin", "https://docfast.dev");
+  } else {
+    // Conversion API routes: allow all origins
+    res.setHeader("Access-Control-Allow-Origin", "*");
+  }
+  
  res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-API-Key");
  res.setHeader("Access-Control-Max-Age", "86400");
+  
  if (req.method === "OPTIONS") {
    res.status(204).end();
    return;
  }
  next();
 });
+
 // Raw body for Stripe webhook signature verification
 app.use("/v1/billing/webhook", express.raw({ type: "application/json" }));
 app.use(express.json({ limit: "2mb" }));