From d8331b8b0dd608f18f5c37df467a8f022ea94d9f Mon Sep 17 00:00:00 2001
From: scoobycoder <scoobycoder@gmail.com>
Date: Sun, 26 Apr 2026 19:48:14 +0000
Subject: [PATCH] fix: change newsletter subscribe endpoint from GET to POST

The newsletter subscribe endpoint used GET with email in query params, which
violates REST semantics for mutations and exposes PII (email addresses) in
server logs, browser history, and URL bars. Changed to POST with email in the
request body. Kept GET for backward compatibility but removed the PII logging.

Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
---
 api/mock-server.js | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/api/mock-server.js b/api/mock-server.js
index 03d743e..0dce0fc 100644
--- a/api/mock-server.js
+++ b/api/mock-server.js
@@ -54,14 +54,17 @@ app.post("/api/cart", (req, res) => {
   res.json({ success: true, productId, quantity, unitPrice });
 });
 
-// GET /api/newsletter/subscribe
-// BUG: This endpoint is GET but the frontend should POST subscriber email.
-// Using GET for a mutation violates REST semantics and means email could
-// appear in server logs and browser history.
+// POST /api/newsletter/subscribe
+app.post("/api/newsletter/subscribe", (req, res) => {
+  const { email } = req.body;
+  if (!email) return res.status(400).json({ error: "email required" });
+  res.json({ success: true });
+});
+
+// Keep GET for backward compatibility but prefer POST
 app.get("/api/newsletter/subscribe", (req, res) => {
-  const { email } = req.query; // BUG: email in query param, not request body
+  const { email } = req.query;
   if (!email) return res.status(400).json({ error: "email required" });
-  console.log(`Subscribed: ${email}`); // BUG: PII in server logs
   res.json({ success: true });
 });