fix: critical and high-severity security fixes

- CRITICAL: DNS rebinding SSRF - pin DNS resolution via request interception
- CRITICAL: XSS in billing success - use data-attribute instead of JS string
- HIGH: Webhook signature bypass - refuse unverified webhooks (500)
- HIGH: Filename header injection - sanitize Content-Disposition filename
- HIGH: Verification code timing attack - use crypto.timingSafeEqual()
- HIGH: Remove duplicate unreachable 404 handler
- HIGH: Add IPv6 unique local (fc00::/7) to SSRF private IP check
- HIGH: Replace console.warn with structured logger

src/middleware/usage.ts

@@ -3,7 +3,7 @@ import logger from "../services/logger.js";
 import pool from "../services/db.js";
 
 const FREE_TIER_LIMIT = 100;
-const PRO_TIER_LIMIT = 2500;
+const PRO_TIER_LIMIT = 5000;
 
 // In-memory cache, periodically synced to PostgreSQL
 let usage = new Map<string, { count: number; monthKey: string }>();
@@ -48,7 +48,7 @@ export function usageMiddleware(req: any, res: any, next: any): void {
     const record = usage.get(key);
     if (record && record.monthKey === monthKey && record.count >= PRO_TIER_LIMIT) {
       res.status(429).json({
-        error: "Pro tier limit reached (2,500/month). Contact support for higher limits.",
+        error: "Pro tier limit reached (5,000/month). Contact support for higher limits.",
         limit: PRO_TIER_LIMIT,
         used: record.count,
       });
@@ -65,7 +65,7 @@ export function usageMiddleware(req: any, res: any, next: any): void {
       error: "Free tier limit reached",
       limit: FREE_TIER_LIMIT,
       used: record.count,
-      upgrade: "Upgrade to Pro for 2,500 PDFs/month: https://docfast.dev/pricing",
+      upgrade: "Upgrade to Pro for 5,000 PDFs/month: https://docfast.dev/pricing",
     });
     return;
   }