DocFast QA Test Results - February 14, 2026

CRITICAL ISSUE FOUND

Severity: HIGH
What I tested: Clicked "Get Free API Key" button → filled email → clicked submit button
Expected: API key displays on page
Actual: Form submission hangs indefinitely, never returns API key
Impact: Users cannot sign up through the website interface

Details:

Free signup button found and clickable ✅
Email input field present and functional ✅
Submit button found and clickable ✅
Form submission HANGS - never completes ❌
Test emails used: qa-test-1771089216449@example.com, qa-test-1771089267524@example.com
Browser: Playwright/Chromium
No console errors detected during page load

Workaround: Direct API call works fine: POST /v1/signup/free

ALL OTHER TESTS PASSED ✅

Browser Tests

✅ Page Load: https://docfast.dev loads with zero console errors
✅ Pro Checkout: "Get Started" button redirects to Stripe checkout successfully
- URL: https://checkout.stripe.com/c/pay/cs_live_a1k5WSEbRffDzpO7CjRSZqhAwl8uJUSAHtnuvIGH33LIC5lrOEr19gJpmX

API Tests

✅ Direct Signup: POST /v1/signup/free returns valid API key instantly
- Test key: df_free_538b4086765c6fdc68e77071ade8c67641cdabebdb9a399f
✅ HTML to PDF: Generated valid 7149-byte PDF from <h1>Test</h1>
✅ Documentation: /docs endpoint returns comprehensive, real documentation with examples
✅ Error Handling:
- Bad API key: {"error":"Invalid API key"} ✅
- Missing html param: {"error":"Missing 'html' field"} ✅
- Wrong content-type: {"error":"Unsupported Content-Type. Use application/json."} ✅

Security Verification (All Fixed Correctly)

✅ CORS on Signup: Access-Control-Allow-Origin: https://docfast.dev (NOT "*") - SECURE
✅ CORS on API: Access-Control-Allow-Origin: * (allows public API access) - CORRECT
✅ SSRF Protection: {"error":"URL resolves to private/reserved IP"} when testing 169.254.169.254 - BLOCKED
✅ Stripe Webhook Forgery: {"error":"Missing webhook secret or signature"} - PROTECTED
✅ Security Headers: Comprehensive CSP, HSTS, X-Frame-Options, etc.

Response Headers Analysis

Content-Security-Policy: Properly restrictive ✅
Strict-Transport-Security: 1 year max-age with subdomains ✅
X-Content-Type-Options: nosniff ✅
X-Frame-Options: SAMEORIGIN ✅
Rate limiting headers present ✅

Summary

1 Critical Issue: Browser signup form hangs (while API signup works)
12 Security Tests: ALL PASSED
Core Functionality: API works perfectly
Documentation Quality: Excellent, comprehensive examples

Recommendation

URGENT: Fix the browser signup form JavaScript issue. The backend works fine, so this is likely a frontend form submission or error handling bug preventing the API key from displaying after successful creation.

Found by: Human (investor)
Date: 2026-02-14
Severity: MEDIUM (product design)
Description: Free tier requires email but it's never verified. Either verify it (send confirmation email with the key) or remove the requirement. Collecting unverified emails is pointless and adds friction. Consider: if we verify, we have a real contact list for marketing. If we don't need email, just give the key instantly without asking.
Status: Open — needs product decision from CEO

BUG-013: Pro users — how do they get their API key?

Found by: Human (investor)
Date: 2026-02-14
Severity: HIGH (broken flow)
Description: After a Pro user pays via Stripe checkout, how do they receive their API key? Is it shown on the success page? Emailed? This flow needs to be clear and tested end-to-end: pay → get key → use key.
Status: Open

BUG-014: No way to recover or reset API key

Found by: Human (investor)
Date: 2026-02-14
Severity: HIGH (missing feature)
Description: If a user loses their API key, there's no way to get it again or reset it. Need a key recovery/reset mechanism — e.g. enter your email → get a new key (if email is verified), or a dashboard where users can see/rotate their key.
Status: Open

4.2 KiB Raw Blame History