openclawd/config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
config/projects/business/memory/bugs.md

2.9 KiB
Raw Blame History

DocFast QA Test Results - February 14, 2026

CRITICAL ISSUE FOUND

🚨 Browser Signup Flow Hangs

Severity: HIGH
What I tested: Clicked "Get Free API Key" button → filled email → clicked submit button
Expected: API key displays on page
Actual: Form submission hangs indefinitely, never returns API key
Impact: Users cannot sign up through the website interface

Details:

  • Free signup button found and clickable
  • Email input field present and functional
  • Submit button found and clickable
  • Form submission HANGS - never completes
  • Test emails used: qa-test-1771089216449@example.com, qa-test-1771089267524@example.com
  • Browser: Playwright/Chromium
  • No console errors detected during page load

Workaround: Direct API call works fine: POST /v1/signup/free

ALL OTHER TESTS PASSED

Browser Tests

API Tests

  • Direct Signup: POST /v1/signup/free returns valid API key instantly
    • Test key: df_free_538b4086765c6fdc68e77071ade8c67641cdabebdb9a399f
  • HTML to PDF: Generated valid 7149-byte PDF from <h1>Test</h1>
  • Documentation: /docs endpoint returns comprehensive, real documentation with examples
  • Error Handling:
    • Bad API key: {"error":"Invalid API key"}
    • Missing html param: {"error":"Missing 'html' field"}
    • Wrong content-type: {"error":"Unsupported Content-Type. Use application/json."}

Security Verification (All Fixed Correctly)

  • CORS on Signup: Access-Control-Allow-Origin: https://docfast.dev (NOT "*") - SECURE
  • CORS on API: Access-Control-Allow-Origin: * (allows public API access) - CORRECT
  • SSRF Protection: {"error":"URL resolves to private/reserved IP"} when testing 169.254.169.254 - BLOCKED
  • Stripe Webhook Forgery: {"error":"Missing webhook secret or signature"} - PROTECTED
  • Security Headers: Comprehensive CSP, HSTS, X-Frame-Options, etc.

Response Headers Analysis

  • Content-Security-Policy: Properly restrictive
  • Strict-Transport-Security: 1 year max-age with subdomains
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN
  • Rate limiting headers present

Summary

1 Critical Issue: Browser signup form hangs (while API signup works)
12 Security Tests: ALL PASSED
Core Functionality: API works perfectly
Documentation Quality: Excellent, comprehensive examples

Recommendation

URGENT: Fix the browser signup form JavaScript issue. The backend works fine, so this is likely a frontend form submission or error handling bug preventing the API key from displaying after successful creation.