feat(testkit): add API-token login flow

[jmgilman]

Summary

• add the testkit pastebin app with server-rendered HTML and memory/Postgres paste storage
• wire authkit API-token exchange into testkit create flows with a temporary access-JWT cookie
• run authkit Postgres migrations alongside testkit migrations when TESTKIT_DATABASE_URL is set

Validation

• go test ./...
• go test -count=1 -tags=integration ./store/postgres ./testkit/internal/store/postgres ./testkit/internal/authflow
• moon run root:check --summary minimal
• runtime smoke on http://localhost:18080 for login, token exchange, authenticated new-paste page, and paste creation

[kusari-inspector]

Kusari Analysis Results:

✅ No Flagged Issues Detected
All values appear to be within acceptable risk parameters.

Both dependency and code analyses returned clean results. (1) Dependency Analysis: No pinned version dependency changes were detected, presenting no dependency-related security concerns. (2) Code Analysis: All medium-severity scanner findings were confirmed as false positives upon manual review. CSRF protection is properly implemented in Go templates via csrf.go and hidden token inputs in both login.html and new.html. The flagged open redirect at handlers.go:147 uses a database-generated ID rather than user-supplied input and is not exploitable. Both XSS findings are non-issues: one write uses plainContentType preventing browser HTML interpretation, and the other uses Go's html/template package with automatic escaping via a buffered rendering pattern. Low-severity cookie Secure flag findings are excluded per policy. No secrets or workflow issues were detected. The combined risk profile presents no actionable security concerns blocking this PR.

Note

View full detailed analysis result for more information on the output and the checks that were run.

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 7405c8f, performed at: 2026-05-14T21:16:24Z

Found this helpful? Give it a 👍 or 👎 reaction!

[kusari-inspector]

Issue: The login form is missing a CSRF token. Implement a CSRF token mechanism in your Go HTTP handlers (e.g., using the gorilla/csrf middleware or a custom implementation) and embed the token in the form.

Recommended Code Changes:

<form class="paste-form auth-form" method="post" action="/auth/token">
  <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
  <label>
    API token
    <input name="api_token" type="password" required autofocus autocomplete="off">
  </label>
  <button type="submit">Continue</button>
</form>

[kusari-inspector]

Issue: The paste creation form is missing a CSRF token. Add a hidden CSRF token field and validate it server-side on POST requests.

Recommended Code Changes:

<form class="paste-form" method="post" action="/pastes">
  <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
  <label>
    Title
    <input name="title" value="{{.Form.Title}}" maxlength="120" autocomplete="off">
  </label>

[kusari-inspector]

Kusari PR Analysis rerun based on - 7405c8f performed at: 2026-05-14T21:16:53Z - link to updated analysis