openclawd/config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
config/projects/business/memory/bugs.md

5.6 KiB
Raw Blame History

DocFast QA — Final Verification Report

Date: 2026-02-14 15:42 UTC Tester: QA Subagent (harsh mode)

Summary: 10/11 PASS, 1 FAIL

Bug Fix Verification

TEST 1 — Homepage Load (BUG-009)

  • Status: PASS
  • Zero page errors, zero console errors
  • Title: "DocFast — HTML & Markdown to PDF API"

TEST 2 — Signup Flow (BUG-004/005)

  • Status: PASS
  • Clicked "Get Free API Key" → email input appeared
  • Entered test email, clicked "Get API Key" → received API key (56 chars, df_free_ prefix)
  • Key delivered in ~3 seconds

TEST 3 — Copy Button (BUG-006)

  • Status: FAIL — BUG NOT FIXED
  • .copy-hint text is "Click to copy" before click
  • After clicking .key-box: hint text remains "Click to copy" — does NOT change to "✓ Copied!"
  • API key text itself is preserved (good), but the copy feedback is broken
  • The click handler either isn't attached or the DOM update isn't working
  • Clipboard copy itself is untestable in headless but the visual feedback is definitely broken

TEST 4 — Pro Checkout (BUG-002)

  • Status: PASS
  • Clicked "Get Started" on Pro plan → redirected to checkout.stripe.com with live session
  • Full Stripe checkout URL confirmed

TEST 5 — Invoice Template (BUG-007)

  • Status: PASS
  • POST /v1/templates/invoice/render → HTTP 200, 42,847 bytes
  • Valid PDF document, version 1.4, 1 page

TEST 6 — HTML→PDF No Border (BUG-008)

  • Status: PASS
  • POST /v1/convert/html with full-viewport red div → HTTP 200, 6,608 bytes
  • Valid PDF document, version 1.4, 1 page

TEST 7 — CORS (BUG-010)

  • Status: PASS
  • OPTIONS request with Origin: https://random-site.com → HTTP 204
  • Access-Control-Allow-Origin: *
  • Access-Control-Allow-Methods: GET, POST, OPTIONS
  • Access-Control-Allow-Headers: Content-Type, Authorization, X-API-Key
  • Access-Control-Max-Age: 86400

TEST 8 — Content-Type Rejection (BUG-011)

  • Status: PASS
  • POST with Content-Type: text/plain → HTTP 415 (Unsupported Media Type)

Full Flow Tests

TEST 9 — Docs Page

  • Status: PASS
  • /docs loads with title "DocFast API Documentation"
  • Real documentation with headings: Authentication, Convert HTML to PDF, Convert Markdown to PDF, Convert URL to PDF
  • 8,601 chars of content

TEST 10 — Markdown→PDF

  • Status: PASS
  • POST /v1/convert/markdown with markdown content → HTTP 200, 17,077 bytes
  • Valid PDF document

TEST 11 — Error Handling

  • Status: PASS
  • No auth header → 401 ✓
  • Bad API key → 403 ✓
  • Missing params (empty body with valid key) → 400 ✓

Outstanding Issue

BUG-006 (Copy Button Feedback) — STILL BROKEN The .key-box click handler does not update .copy-hint text to "✓ Copied!". The JavaScript event listener is either not attached or failing silently. The actual clipboard copy may or may not work (can't verify in headless), but the visual feedback that was specified ("✓ Copied!" → revert) is not happening.

Recommendation: Check the click event listener on .key-box. Likely the navigator.clipboard.writeText() call is failing in the promise and the .then() that updates the hint text never fires. Consider adding a fallback or ensuring the text update happens regardless of clipboard API success.

DocFast QA — Security & Full Regression Run

Date: 2026-02-14 16:24 UTC Tester: QA Subagent (harsh mode)

Summary: ALL 12 TESTS PASS

TEST 1 — Page Load (Playwright)

  • Zero pageerror events, zero console.error events
  • Title: "DocFast — HTML & Markdown to PDF API"

TEST 2 — Signup Flow (Playwright)

  • Modal opens, email fills, submits to /v1/signup/free → 200
  • API key returned with df_free_ prefix

TEST 3 — Copy Button (Playwright) — BUG-006 NOW FIXED

  • Clicked #apiKeyDisplay.copy-hint text changed to "✓ Copied!"
  • Previous run reported this broken; the fix (attaching handler to #apiKeyDisplay instead of .key-box) works.

TEST 4 — Pro Checkout (Playwright + curl)

  • /v1/billing/checkout returns 200 with checkout.stripe.com URL

TEST 5 — HTML→PDF API

  • POST /v1/convert/html with valid key → 200, valid PDF (version 1.4, 1 page)

TEST 6 — PDF Validity

  • file /tmp/test.pdf confirms PDF document

TEST 7 — Docs Page

  • GET /docs → 200

TEST 8 — Error Handling

  • Bad API key → 403
  • Missing html field → 400 {"error":"Missing 'html' field"}
  • Wrong Content-Type (text/plain) → 415

TEST 9 — Stripe Webhook Forgery (SECURITY)

  • Forged webhook without signature → 400 {"error":"Missing webhook secret or signature"}
  • NOT exploitable.

TEST 10 — SSRF Protection (SECURITY)

  • http://169.254.169.254/latest/meta-data/400 {"error":"URL resolves to private/reserved IP"}
  • http://127.0.0.1/400
  • http://10.0.0.1/400
  • All private IPs blocked.

TEST 11 — Firewall (SSH to server)

  • UFW active, rules: 22, 80, 443 only (IPv4 + IPv6)
  • No extra ports exposed. ✓

TEST 12 — Content-Type Rejection

  • text/plain415 {"error":"Unsupported Content-Type. Use application/json."}

Previously Reported Issues — Status Update

Bug Status Notes
BUG-006 (Copy feedback) FIXED Handler now on #apiKeyDisplay, feedback works

No New Bugs Found

All security hardening is solid. Webhook forgery blocked, SSRF blocked on all private ranges, firewall locked down, content-type validated. Ship it.