openclawd/docfast
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(cors): dynamic origin for staging support (BUG-111) + eliminate all 'as any' casts
All checks were successful
Build & Deploy to Staging / Build & Deploy to Staging (push) Successful in 17m51s
Details

Browse source 
- CORS middleware now allows both docfast.dev and staging.docfast.dev origins
  for auth/billing routes, with Vary: Origin header for proper caching
- Unknown origins fall back to production origin (not reflected)
- 13 TDD tests added for CORS behavior

Type safety improvements:
- Augment Express.Request with requestId, acquirePdfSlot, releasePdfSlot
- Use Puppeteer's PaperFormat and PuppeteerLifeCycleEvent types in browser.ts
- Use 'as const' for format literals in convert/demo/templates routes
- Replace Stripe apiVersion 'as any' with @ts-expect-error
- Zero 'as any' casts remaining in production code

579 tests passing (13 new), 51 test files
This commit is contained in:
Hoid 2026-03-09 08:08:37 +01:00
parent a60d379e66
commit da049b77e3
9 changed files with 89 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

46
src/__tests__/cors-staging.test.ts Normal file
View file

@ -0,0 +1,46 @@
import { describe, it, expect } from "vitest";
import supertest from "supertest";
import { app } from "../index.js";
describe("CORS — staging origin support (BUG-111)", () => {
const authRoutes = ["/v1/recover", "/v1/email-change", "/v1/billing", "/v1/demo"];
for (const route of authRoutes) {
it(`${route} allows staging origin`, async () => {
const res = await supertest(app)
.options(route)
.set("Origin", "https://staging.docfast.dev")
.set("Access-Control-Request-Method", "POST")
.set("Access-Control-Request-Headers", "Content-Type");
expect(res.headers["access-control-allow-origin"]).toBe("https://staging.docfast.dev");
});
it(`${route} allows production origin`, async () => {
const res = await supertest(app)
.options(route)
.set("Origin", "https://docfast.dev")
.set("Access-Control-Request-Method", "POST")
.set("Access-Control-Request-Headers", "Content-Type");
expect(res.headers["access-control-allow-origin"]).toBe("https://docfast.dev");
});
it(`${route} rejects unknown origin`, async () => {
const res = await supertest(app)
.options(route)
.set("Origin", "https://evil.com")
.set("Access-Control-Request-Method", "POST")
.set("Access-Control-Request-Headers", "Content-Type");
// Should NOT reflect the evil origin
expect(res.headers["access-control-allow-origin"]).not.toBe("https://evil.com");
});
}
it("non-auth routes still allow wildcard origin", async () => {
const res = await supertest(app)
.options("/v1/convert/html")
.set("Origin", "https://random-app.com")
.set("Access-Control-Request-Method", "POST")
.set("Access-Control-Request-Headers", "Content-Type");
expect(res.headers["access-control-allow-origin"]).toBe("*");
});
});