83 lines
4.2 KiB
Markdown
83 lines
4.2 KiB
Markdown
# DocFast QA Test Results - February 14, 2026
|
|
|
|
## CRITICAL ISSUE FOUND
|
|
|
|
### 🚨 Browser Signup Flow Hangs
|
|
**Severity:** HIGH
|
|
**What I tested:** Clicked "Get Free API Key" button → filled email → clicked submit button
|
|
**Expected:** API key displays on page
|
|
**Actual:** Form submission hangs indefinitely, never returns API key
|
|
**Impact:** Users cannot sign up through the website interface
|
|
|
|
**Details:**
|
|
- Free signup button found and clickable ✅
|
|
- Email input field present and functional ✅
|
|
- Submit button found and clickable ✅
|
|
- Form submission **HANGS** - never completes ❌
|
|
- Test emails used: qa-test-1771089216449@example.com, qa-test-1771089267524@example.com
|
|
- Browser: Playwright/Chromium
|
|
- No console errors detected during page load
|
|
|
|
**Workaround:** Direct API call works fine: `POST /v1/signup/free`
|
|
|
|
---
|
|
|
|
## ALL OTHER TESTS PASSED ✅
|
|
|
|
### Browser Tests
|
|
- ✅ **Page Load:** https://docfast.dev loads with zero console errors
|
|
- ✅ **Pro Checkout:** "Get Started" button redirects to Stripe checkout successfully
|
|
- URL: https://checkout.stripe.com/c/pay/cs_live_a1k5WSEbRffDzpO7CjRSZqhAwl8uJUSAHtnuvIGH33LIC5lrOEr19gJpmX
|
|
|
|
### API Tests
|
|
- ✅ **Direct Signup:** `POST /v1/signup/free` returns valid API key instantly
|
|
- Test key: `df_free_538b4086765c6fdc68e77071ade8c67641cdabebdb9a399f`
|
|
- ✅ **HTML to PDF:** Generated valid 7149-byte PDF from `<h1>Test</h1>`
|
|
- ✅ **Documentation:** `/docs` endpoint returns comprehensive, real documentation with examples
|
|
- ✅ **Error Handling:**
|
|
- Bad API key: `{"error":"Invalid API key"}` ✅
|
|
- Missing html param: `{"error":"Missing 'html' field"}` ✅
|
|
- Wrong content-type: `{"error":"Unsupported Content-Type. Use application/json."}` ✅
|
|
|
|
### Security Verification (All Fixed Correctly)
|
|
- ✅ **CORS on Signup:** `Access-Control-Allow-Origin: https://docfast.dev` (NOT "*") - SECURE
|
|
- ✅ **CORS on API:** `Access-Control-Allow-Origin: *` (allows public API access) - CORRECT
|
|
- ✅ **SSRF Protection:** `{"error":"URL resolves to private/reserved IP"}` when testing 169.254.169.254 - BLOCKED
|
|
- ✅ **Stripe Webhook Forgery:** `{"error":"Missing webhook secret or signature"}` - PROTECTED
|
|
- ✅ **Security Headers:** Comprehensive CSP, HSTS, X-Frame-Options, etc.
|
|
|
|
### Response Headers Analysis
|
|
- Content-Security-Policy: Properly restrictive ✅
|
|
- Strict-Transport-Security: 1 year max-age with subdomains ✅
|
|
- X-Content-Type-Options: nosniff ✅
|
|
- X-Frame-Options: SAMEORIGIN ✅
|
|
- Rate limiting headers present ✅
|
|
|
|
## Summary
|
|
**1 Critical Issue:** Browser signup form hangs (while API signup works)
|
|
**12 Security Tests:** ALL PASSED
|
|
**Core Functionality:** API works perfectly
|
|
**Documentation Quality:** Excellent, comprehensive examples
|
|
|
|
## Recommendation
|
|
**URGENT:** Fix the browser signup form JavaScript issue. The backend works fine, so this is likely a frontend form submission or error handling bug preventing the API key from displaying after successful creation.
|
|
### BUG-012: Email signup for free tier serves no purpose
|
|
- **Found by:** Human (investor)
|
|
- **Date:** 2026-02-14
|
|
- **Severity:** MEDIUM (product design)
|
|
- **Description:** Free tier requires email but it's never verified. Either verify it (send confirmation email with the key) or remove the requirement. Collecting unverified emails is pointless and adds friction. Consider: if we verify, we have a real contact list for marketing. If we don't need email, just give the key instantly without asking.
|
|
- **Status:** Open — needs product decision from CEO
|
|
|
|
### BUG-013: Pro users — how do they get their API key?
|
|
- **Found by:** Human (investor)
|
|
- **Date:** 2026-02-14
|
|
- **Severity:** HIGH (broken flow)
|
|
- **Description:** After a Pro user pays via Stripe checkout, how do they receive their API key? Is it shown on the success page? Emailed? This flow needs to be clear and tested end-to-end: pay → get key → use key.
|
|
- **Status:** Open
|
|
|
|
### BUG-014: No way to recover or reset API key
|
|
- **Found by:** Human (investor)
|
|
- **Date:** 2026-02-14
|
|
- **Severity:** HIGH (missing feature)
|
|
- **Description:** If a user loses their API key, there's no way to get it again or reset it. Need a key recovery/reset mechanism — e.g. enter your email → get a new key (if email is verified), or a dashboard where users can see/rotate their key.
|
|
- **Status:** Open
|