[Devin] fix: change newsletter subscribe endpoint from GET to POST

[devin-ai-integration]

What

The newsletter subscribe endpoint uses GET with the email address in a query parameter (/api/newsletter/subscribe?email=...). This violates REST semantics (mutations should use POST), exposes PII (email addresses) in server logs, browser history, and URL bars, and the original code also logged the email to console (console.log(\Subscribed: ${email}`)`).

Where

File: api/mock-server.js
Lines: 57–66 (newsletter subscribe endpoint)

How I found it

• Static analysis: The code had multiple comments documenting the issues: // BUG: This endpoint is GET but the frontend should POST, // BUG: email in query param, not request body, // BUG: PII in server logs.
• HTTP scan: Confirmed the endpoint accepted GET with email as a query parameter.

Evidence

Original code:

app.get("/api/newsletter/subscribe", (req, res) => {
  const { email } = req.query;       // email in URL, visible in logs
  console.log(`Subscribed: ${email}`); // PII logged to stdout
  res.json({ success: true });
});

Fix

• Added a POST endpoint that reads email from req.body instead of query params
• Removed the console.log that was leaking PII to server logs
• Kept the GET endpoint for backward compatibility but removed the PII logging

Confidence

High — Using GET for mutations with PII in query params is a well-known anti-pattern with clear security implications.

Summary

Changes newsletter subscribe from GET (email in URL) to POST (email in body) to follow REST semantics and prevent PII exposure.

Review & Testing Checklist for Human

• POST /api/newsletter/subscribe with {"email": "test@example.com"} in body — should return 200
• Verify no email addresses appear in server stdout logs
• GET /api/newsletter/subscribe?email=test@example.com still works for backward compat

Notes

Found via static analysis — multiple code comments documented this as an intentional bug. The fix addresses REST semantics, PII exposure, and server logging concerns.

Link to Devin session: https://app.devin.ai/sessions/3b3d59c7eee04cea9069529fd6fff39d
Requested by: @scoobycoder

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
devin-ai-kata	Ready	Preview, Comment	Apr 26, 2026 7:49pm