fix: BUG-022 check duplicate email before rate limit, BUG-024 support X-API-Key header

src/middleware/auth.ts

@@ -7,11 +7,19 @@ export function authMiddleware(
   next: NextFunction
 ): void {
   const header = req.headers.authorization;
-  if (!header?.startsWith("Bearer ")) {
-    res.status(401).json({ error: "Missing API key. Use: Authorization: Bearer <key>" });
+  const xApiKey = req.headers["x-api-key"] as string | undefined;
+  let key: string | undefined;
+
+  if (header?.startsWith("Bearer ")) {
+    key = header.slice(7);
+  } else if (xApiKey) {
+    key = xApiKey;
+  }
+
+  if (!key) {
+    res.status(401).json({ error: "Missing API key. Use: Authorization: Bearer <key> or X-API-Key: <key>" });
     return;
   }
-  const key = header.slice(7);
   if (!isValidKey(key)) {
     res.status(403).json({ error: "Invalid API key" });
     return;

src/routes/signup.ts

@@ -22,8 +22,21 @@ const verifyLimiter = rateLimit({
   legacyHeaders: false,
 });
 
+// Pre-check: reject already-registered emails BEFORE rate limiting (BUG-022)
+function rejectDuplicateEmail(req: Request, res: Response, next: Function) {
+  const { email } = req.body || {};
+  if (email && typeof email === "string") {
+    const cleanEmail = email.trim().toLowerCase();
+    if (isEmailVerified(cleanEmail)) {
+      res.status(409).json({ error: "Email already registered" });
+      return;
+    }
+  }
+  next();
+}
+
 // Step 1: Request signup — generates 6-digit code
-router.post("/free", signupLimiter, async (req: Request, res: Response) => {
+router.post("/free", rejectDuplicateEmail, signupLimiter, async (req: Request, res: Response) => {
   const { email } = req.body || {};
 
   if (!email || typeof email !== "string" || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {