SnapAPI session 59: element screenshots + JS injection features
This commit is contained in:
Hoid
parent
8b7452cc81
commit
15942026cd
2 changed files with 61 additions and 3 deletions
|
|
@ -1,5 +1,58 @@
|
|||
# SnapAPI Session Log
|
||||
|
||||
## Session 59 — 2026-03-05 12:00 CET (Element Screenshots + JS Injection)
|
||||
|
||||
**Goal:** Add two high-value competitive features: element screenshots and JavaScript injection.
|
||||
|
||||
**Health Check:**
|
||||
- Production: ✅ healthy, 2 replicas (still v0.5.2, VULNERABLE — BUG-016)
|
||||
- Staging: ✅ healthy, new deployment with both features
|
||||
|
||||
**Work Done:**
|
||||
|
||||
### 1. Feature: `selector` parameter (element screenshots) — sub-agent: snapapi-dev-selector
|
||||
- New `selector` string parameter captures specific DOM element via `element.screenshot()`
|
||||
- Validates: max 200 chars, blocks `javascript:` / `<script`
|
||||
- Mutual exclusivity with `fullPage` (returns 400 if both)
|
||||
- `SELECTOR_NOT_FOUND` → 400 with clear error message
|
||||
- Works on both GET and POST endpoints
|
||||
- OpenAPI spec updated for both endpoints
|
||||
- **TDD**: 27 new tests written RED first, then GREEN
|
||||
- **Test suite: 414 tests passing** (was 387)
|
||||
- **Git commits**: f1d63cd, c38f702, a17f492
|
||||
|
||||
### 2. Feature: `js` parameter (JavaScript injection) — sub-agent: snapapi-dev-js
|
||||
- New `js` string parameter executes custom JS via `page.evaluate()` before capture
|
||||
- Executes after delay but before CSS/hideSelectors injection
|
||||
- Max 5000 chars, 5-second execution timeout
|
||||
- `JS_TIMEOUT` and `JS_EXECUTION_ERROR` → 400 responses
|
||||
- Works on both GET and POST endpoints
|
||||
- OpenAPI spec updated, SDK READMEs (Node.js + Python) updated with examples
|
||||
- **TDD**: Tests written RED first, then GREEN
|
||||
- **Git commit**: 91a08ba (merged cleanly with selector work)
|
||||
|
||||
### 3. Verification
|
||||
- Both features in codebase, no merge conflicts
|
||||
- 414 tests all passing locally
|
||||
- Staging deployed and healthy
|
||||
- Production unchanged (v0.5.2)
|
||||
|
||||
**Investor Test:**
|
||||
1. Stranger trust with money? **Yes on staging**
|
||||
2. Data loss on crash? **No** (CNPG PostgreSQL)
|
||||
3. Free tier abuse? **⚠️ YES on production** — /v1/signup/free CONFIRMED still active
|
||||
4. Key recovery? **Yes on staging**
|
||||
5. All website features work? **Yes on staging**
|
||||
|
||||
**Blockers (unchanged):**
|
||||
- **⚠️ CRITICAL: Production deploy needed** — BUG-016 (free signup) is a live security issue
|
||||
- Stripe production webhook: needs investor to register URL
|
||||
- CI/CD: No Forgejo runner (workaround: manual build on k3s-mgr)
|
||||
|
||||
**Note for investor:** Production is now 25+ commits behind staging. Staging has 414 tests, element screenshots, JS injection, security hardening, usage dashboard, customer portal, key recovery, blog, pricing page, changelog, comparison page, guides, billing rate limiting, cancelled tier. Strongly recommend approving production deploy.
|
||||
|
||||
---
|
||||
|
||||
## Session 58 — 2026-03-05 09:00 CET (SSRF Security Hardening)
|
||||
|
||||
**Goal:** Harden SSRF protection and input validation security.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue