feat: add productSlug API param and scope CORS for widget consumers (#91)

asithade · web-flow · commit 8d4f757b22d9 · 2026-03-25T21:47:59.000-04:00
* feat: add productSlug API param and scope CORS for widget consumers

Add productSlug query parameter to the public changelogs API, enabling
filtering by product slug for embeddable widget consumers. Scope
wildcard CORS to only widget-consumed routes while restricting
remaining public API routes to the app origin.

- Add productSlug to ChangelogQueryParamsSchema and controller
- Add Prisma nested relation filter for productSlug in findPublished
- Scope origin:'*' CORS to /public/api/changelogs and /products only
- Restrict remaining public API routes to getCorsOrigins()
- Fix Swagger docs: rename pageSize to limit, add productSlug param
- Add e2e tests for productSlug filtering

Signed-off-by: Asitha de Silva &lt;asithade@gmail.com&gt;

* fix: correct limit default in Swagger docs from 10 to 20

Signed-off-by: Asitha de Silva &lt;asithade@gmail.com&gt;

* fix: forward productSlug in Angular changelog service buildParams

Signed-off-by: Asitha de Silva &lt;asithade@gmail.com&gt;

---------

Signed-off-by: Asitha de Silva &lt;asithade@gmail.com&gt;
diff --git a/apps/lfx-changelog/e2e/specs/api/public-changelogs.api.spec.ts b/apps/lfx-changelog/e2e/specs/api/public-changelogs.api.spec.ts
@@ -92,6 +92,26 @@ test.describe('Public Changelogs API', () => {
       expect(page2Body.totalPages).toBe(Math.ceil(PUBLISHED_COUNT / 2));
     });
 
+    test('should support productSlug filtering', async () => {
+      const res = await api.get('/public/api/changelogs?productSlug=e2e-easycla');
+      const body = await res.json();
+
+      expect(body.success).toBe(true);
+      expect(body.data.length).toBeGreaterThan(0);
+      for (const entry of body.data) {
+        expect(entry.product.slug).toBe('e2e-easycla');
+      }
+    });
+
+    test('should return empty data for non-existent productSlug', async () => {
+      const res = await api.get('/public/api/changelogs?productSlug=does-not-exist');
+      const body = await res.json();
+
+      expect(body.success).toBe(true);
+      expect(body.data).toHaveLength(0);
+      expect(body.total).toBe(0);
+    });
+
     test('should support productId filtering', async () => {
       // First, get products to find a valid ID
       const productsRes = await api.get('/public/api/products');
diff --git a/apps/lfx-changelog/src/app/shared/services/changelog.service.ts b/apps/lfx-changelog/src/app/shared/services/changelog.service.ts
@@ -77,6 +77,7 @@ export class ChangelogService {
   private buildParams(params?: ChangelogQueryParams): HttpParams {
     let httpParams = new HttpParams();
     if (params?.productId) httpParams = httpParams.set('productId', params.productId);
+    if (params?.productSlug) httpParams = httpParams.set('productSlug', params.productSlug);
     if (params?.status) httpParams = httpParams.set('status', params.status);
     if (params?.page) httpParams = httpParams.set('page', params.page.toString());
     if (params?.limit) httpParams = httpParams.set('limit', params.limit.toString());
diff --git a/apps/lfx-changelog/src/server/controllers/changelog.controller.ts b/apps/lfx-changelog/src/server/controllers/changelog.controller.ts
@@ -20,6 +20,7 @@ export class ChangelogController {
     try {
       const result = await this.changelogService.findPublished({
         productId: req.query['productId'] as string | undefined,
+        productSlug: req.query['productSlug'] as string | undefined,
         page: req.query['page'] ? parseInt(req.query['page'] as string, 10) : undefined,
         limit: req.query['limit'] ? parseInt(req.query['limit'] as string, 10) : undefined,
       });
diff --git a/apps/lfx-changelog/src/server/services/changelog.service.ts b/apps/lfx-changelog/src/server/services/changelog.service.ts
@@ -24,6 +24,7 @@ export class ChangelogService {
 
     const where: Prisma.ChangelogEntryWhereInput = { status: 'published', product: { isActive: true } };
     if (params.productId) where.productId = params.productId;
+    if (params.productSlug) where.product = { isActive: true, slug: params.productSlug };
     if (params.query) {
       where.OR = [{ title: { contains: params.query, mode: 'insensitive' } }, { description: { contains: params.query, mode: 'insensitive' } }];
     }
diff --git a/apps/lfx-changelog/src/server/setup/cors.ts b/apps/lfx-changelog/src/server/setup/cors.ts
@@ -9,14 +9,21 @@ import type { Express, NextFunction, Request, Response } from 'express';
 
 /**
  * Registers all CORS strategies:
- * - `/public/api` — allowed origins for external consumers (excluding chat)
+ * - `/public/api/changelogs`, `/public/api/products` — open to all origins (widget consumers)
+ * - `/public/api/*` (remaining) — restricted to app origin
  * - `/mcp` — open to all origins (AI clients)
  * - `/api` — conditional CORS for API-key requests (excluding chat)
  */
 export function setupCors(app: Express): void {
-  // Public API — external consumers; chat routes are same-origin only
+  // Widget-consumed routes — open CORS for embeddable widget on any origin
+  const widgetCors = cors({ origin: '*', methods: ['GET', 'HEAD', 'OPTIONS'], maxAge: 86400 });
+  app.use('/public/api/changelogs', widgetCors);
+  app.use('/public/api/products', widgetCors);
+
+  // Remaining public API routes (search, blogs, chat, etc.) — restricted to app origin
   app.use('/public/api', (req: Request, res: Response, next: NextFunction) => {
-    if (req.path.startsWith('/chat')) {
+    // Skip paths already handled by widgetCors above to avoid double-applying
+    if (req.path.startsWith('/changelogs') || req.path.startsWith('/products')) {
       next();
       return;
     }
diff --git a/apps/lfx-changelog/src/server/swagger/paths/public-changelogs.path.ts b/apps/lfx-changelog/src/server/swagger/paths/public-changelogs.path.ts
@@ -17,8 +17,9 @@ publicChangelogRegistry.registerPath({
   request: {
     query: z.object({
       page: z.coerce.number().optional().openapi({ description: 'Page number (default: 1)' }),
-      pageSize: z.coerce.number().optional().openapi({ description: 'Items per page (default: 10)' }),
+      limit: z.coerce.number().optional().openapi({ description: 'Items per page (default: 20)' }),
       productId: z.string().optional().openapi({ description: 'Filter by product ID' }),
+      productSlug: z.string().optional().openapi({ description: 'Filter by product slug (e.g., "insights", "easycla")' }),
     }),
   },
   responses: {
diff --git a/packages/shared/src/schemas/search.schema.ts b/packages/shared/src/schemas/search.schema.ts
@@ -7,6 +7,7 @@ import { z } from 'zod';
 export const ChangelogQueryParamsSchema = z
   .object({
     productId: z.string().uuid().optional().openapi({ description: 'Filter by product ID' }),
+    productSlug: z.string().optional().openapi({ description: 'Filter by product slug (e.g., "insights", "easycla")' }),
     status: z.string().optional().openapi({ description: 'Filter by status (draft, published)' }),
     query: z.string().optional().openapi({ description: 'Text search keywords to filter by title or description' }),
     page: z.coerce.number().int().min(1).optional().openapi({ description: 'Page number' }),

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ export class ChangelogService {`
`24`	`24`
`25`	`25`	`const where: Prisma.ChangelogEntryWhereInput = { status: 'published', product: { isActive: true } };`
`26`	`26`	`if (params.productId) where.productId = params.productId;`
	`27`	`+ if (params.productSlug) where.product = { isActive: true, slug: params.productSlug };`
`27`	`28`	`if (params.query) {`
`28`	`29`	`where.OR = [{ title: { contains: params.query, mode: 'insensitive' } }, { description: { contains: params.query, mode: 'insensitive' } }];`
`29`	`30`	`}`