fix(BUG-101): enforce route-specific body size limits

Remove global express.json({ limit: '2mb' }) that preempted route-specific parsers. Each route group now has its own express.json() with correct limit: - Demo: 50KB, Convert: 500KB, Others: 2MB, Stripe webhook: unchanged
2026-03-04 17:06:31 +01:00 · 2026-03-04 17:06:31 +01:00 · c03f217690
commit c03f217690
parent d2f819de94
2 changed files with 111 additions and 5 deletions
--- a/src/index.ts
+++ b/src/index.ts
@ -82,7 +82,8 @@ app.use((req, res, next) => {

 // Raw body for Stripe webhook signature verification
 app.use("/v1/billing/webhook", express.raw({ type: "application/json" }));
-app.use(express.json({ limit: "2mb" }));
+// NOTE: No global express.json() here — route-specific parsers are applied
+// per-route below to enforce correct body size limits (BUG-101 fix).
 app.use(express.text({ limit: "2mb", type: "text/*" }));

 // Trust nginx proxy
@ -130,14 +131,16 @@ app.use("/v1/signup", (_req, res) => {
    pro_url: "https://docfast.dev/#pricing"
  });
 });
-app.use("/v1/recover", recoverRouter);
-app.use("/v1/email-change", emailChangeRouter);
-app.use("/v1/billing", billingRouter);
+// Default 2MB JSON parser for standard routes
+const defaultJsonParser = express.json({ limit: "2mb" });
+app.use("/v1/recover", defaultJsonParser, recoverRouter);
+app.use("/v1/email-change", defaultJsonParser, emailChangeRouter);
+app.use("/v1/billing", defaultJsonParser, billingRouter);

 // Authenticated routes — conversion routes get tighter body limits (500KB)
 const convertBodyLimit = express.json({ limit: "500kb" });
 app.use("/v1/convert", convertBodyLimit, authMiddleware, usageMiddleware, pdfRateLimitMiddleware, convertRouter);
-app.use("/v1/templates", authMiddleware, usageMiddleware, templatesRouter);
+app.use("/v1/templates", defaultJsonParser, authMiddleware, usageMiddleware, templatesRouter);

 // Admin: usage stats (admin key required)
 const adminAuth = (req: any, res: any, next: any) => {