103 lines
6.7 KiB
Markdown
103 lines
6.7 KiB
Markdown
# SnapAPI Bug Tracker
|
|
|
|
## Fixed
|
|
|
|
### BUG-001: Key cache not shared across pods (HIGH) — FIXED v0.1.1
|
|
- **Found:** Session 2
|
|
- **Impact:** ~50% of screenshot requests fail with 403 after signup when 2+ replicas
|
|
- **Fix:** Cache-aside pattern — check DB when key not in memory cache
|
|
- **Verified:** 6/6 requests succeed after signup on 2-replica prod deployment
|
|
|
|
### BUG-004: CSP blocks all inline event handlers (CRITICAL) — FIXED v0.2.3
|
|
- **Found:** Session 4 (investor-reported)
|
|
- **Impact:** ALL interactive functionality broken — signup modal, playground, mobile nav, FAQ toggles
|
|
- **Root cause:** Helmet's default CSP includes `script-src-attr 'none'` which blocks onclick/onsubmit handlers
|
|
- **Fix:** Added `scriptSrcAttr: ["'unsafe-inline'"]` to helmet CSP config
|
|
- **Verified:** Signup modal opens, API key generated, playground takes screenshots, mobile nav works
|
|
|
|
### BUG-005: Mobile nav has no CSS for .show class (HIGH) — FIXED v0.2.3
|
|
- **Found:** Session 4 (investor-reported)
|
|
- **Impact:** Hamburger menu toggle did nothing — nav links invisible on mobile
|
|
- **Root cause:** CSS had `display:none` for `.nav-links` on mobile but no rule for `.nav-links.show`
|
|
- **Fix:** Added `.nav-links.show{display:flex; flex-direction:column; ...}` with absolute positioning
|
|
- **Verified:** Hamburger opens/closes menu, links visible and clickable
|
|
|
|
### BUG-006: Signup buttons use href="#" causing scroll (MEDIUM) — FIXED v0.2.3
|
|
- **Found:** Session 4 (investor-reported)
|
|
- **Impact:** Clicking "Get Free API Key" scrolled to top instead of opening signup modal
|
|
- **Root cause:** `href="#"` navigated before onclick could fire (CSP was the bigger issue, but this was also broken)
|
|
- **Fix:** Changed all signup links to `href="javascript:void(0)"`
|
|
- **Verified:** All 4 signup CTAs correctly open the modal
|
|
|
|
### BUG-002: No email verification on signup (MEDIUM) — CLOSED v0.3.0
|
|
- **Impact:** Anyone can create unlimited keys with fake emails
|
|
- **Resolution:** Free signup removed entirely. Playground is the free demo (no keys needed). Paid signup will go through Stripe.
|
|
|
|
### BUG-003: No API key recovery (MEDIUM) — CLOSED v0.3.0
|
|
- **Impact:** Lost API key = create new account
|
|
- **Resolution:** Free tier removed. Paid tier key recovery will be handled via Stripe customer portal.
|
|
|
|
### BUG-008: FAQ accordion double-toggle (MEDIUM) — FIXED (staging)
|
|
- **Found:** Session 10 (investor-reported)
|
|
- **Impact:** FAQ items don't expand/collapse — clicking toggles class twice (once via inline onclick, once via JS addEventListener), netting zero change
|
|
- **Root cause:** Inline `onclick="this.parentElement.classList.toggle('open')"` on `.faq-q` AND a `querySelectorAll('.faq-q').forEach(addEventListener('click',...))` in the script block — both fire on click, double-toggling
|
|
- **Fix:** Removed the duplicate JS addEventListener block, keeping only inline onclick
|
|
- **Deployed to staging:** Yes (commit db0d4eee). Verified via kubectl exec + curl.
|
|
- **Production:** Awaiting investor approval for v* tag
|
|
|
|
### BUG-009: "Rate limiting" advertised as feature (LOW) — FIXED (staging)
|
|
- **Found:** Session 10 (investor-reported)
|
|
- **Impact:** "Secure by Default" feature card mentioned "Rate limiting" as a selling point — rate limits are constraints, not features
|
|
- **Fix:** Changed to "Strict input validation and secure defaults built in"
|
|
- **Deployed to staging:** Yes (commit db0d4eee)
|
|
- **Production:** Awaiting investor approval for v* tag
|
|
|
|
### BUG-010: Privacy Policy page returns 404 (CRITICAL) — FIXED (staging)
|
|
- **Found:** Session 12 (investor-reported)
|
|
- **Impact:** /privacy returns 404 — legal pages broken. Footer links on terms/impressum/privacy pages used `/privacy` without `.html` extension.
|
|
- **Root cause:** express.static only serves files by exact filename; no route handler for extensionless URLs
|
|
- **Fix:** Added 301 redirects for `/privacy`, `/terms`, `/impressum`, `/status` → `.html` variants. Also fixed all internal links to consistently use `.html` extension.
|
|
- **Deployed to staging:** Yes (commit db1fa8d). Full link crawl: zero 404s across all pages.
|
|
- **Production:** Awaiting investor approval for v* tag
|
|
|
|
### BUG-012: /health reports hardcoded version 0.1.0 (LOW) — FIXED (staging)
|
|
- **Found:** Session 27
|
|
- **Impact:** Health endpoint shows wrong version, makes monitoring/debugging harder
|
|
- **Fix:** Read version from package.json dynamically
|
|
- **Deployed to staging:** Yes (commit 2eca4e7, image imported to all nodes). Verified: /health returns version 0.6.0
|
|
|
|
### BUG-013: OpenAPI spec stale — missing GET /v1/screenshot, /v1/usage; has removed /v1/signup/free (MEDIUM) — FIXED (staging)
|
|
- **Found:** Session 27
|
|
- **Impact:** API docs misleading for developers
|
|
- **Fix:** Removed /v1/signup/free, added GET /v1/screenshot, added /v1/usage
|
|
- **Deployed to staging:** Yes (commit 2eca4e7). Verified: OpenAPI spec has correct paths
|
|
|
|
### BUG-014: /usage.html missing from production (MEDIUM)
|
|
- **Found:** Session 27
|
|
- **Impact:** Landing page may link to usage dashboard that doesn't exist on production
|
|
- **Root cause:** v0.5.2 image was built before usage dashboard commit (5b59a7a)
|
|
- **Fix:** Needs new production deploy after staging verified
|
|
|
|
## Open
|
|
|
|
### BUG-015: Python SDK missing URL validation for ScreenshotOptions object (LOW) — FIXED
|
|
- **Found:** Session 31
|
|
- **Impact:** When using `ScreenshotOptions` with empty URL, SDK makes HTTP request instead of raising ValueError immediately
|
|
- **Fix:** Added `if not body.get('url'): raise ValueError("url is required")` after options.to_dict()
|
|
- **TDD:** Failing test written first, then fix applied. 17/17 Python SDK tests pass.
|
|
- **Deployed:** Commit 195a656 pushed to main
|
|
|
|
### BUG-007: Simultaneous browser restart causes QUEUE_FULL (HIGH) — FIXED (staging)
|
|
- **Found:** Session 9
|
|
- **Impact:** When both browser instances hit RESTART_AFTER_MS simultaneously (every ~1h), all requests during the ~4s restart window queue for 30s then fail with 503 QUEUE_FULL
|
|
- **Root cause:** Both browsers initialized with same `lastRestartTime`, hit restart threshold together. `acquirePage()` triggers `scheduleRestart()` on both simultaneously.
|
|
- **Fix:** Staggered initial `lastRestartTime` per browser + one-at-a-time restart guard in `acquirePage()`
|
|
- **Deployed to staging:** Yes (commit e49c4073). Verified playground returns 200.
|
|
- **Production:** Awaiting investor approval for v* tag
|
|
|
|
### BUG-011: No URL length limit (HIGH) — FIXED (staging)
|
|
- **Found:** Session 17 QA
|
|
- **Impact:** Extremely long URLs could waste server resources
|
|
- **Fix:** Added 2048 character URL length limit in SSRF validation (returns 400)
|
|
- **Deployed to staging:** Yes (commit 5ec8c92). Verified: 2100-char URL returns 400, normal URL returns 200.
|
|
- **Production:** Awaiting investor approval for v* tag
|