Skip to content

feat(testkit): add API-token login flow#46

Merged
jmgilman merged 1 commit into
masterfrom
session-026/testkit-open-pastebin
May 14, 2026
Merged

feat(testkit): add API-token login flow#46
jmgilman merged 1 commit into
masterfrom
session-026/testkit-open-pastebin

Conversation

@jmgilman
Copy link
Copy Markdown
Contributor

@jmgilman jmgilman commented May 14, 2026

Summary

  • add the testkit pastebin app with server-rendered HTML and memory/Postgres paste storage
  • wire authkit API-token exchange into testkit create flows with a temporary access-JWT cookie
  • run authkit Postgres migrations alongside testkit migrations when TESTKIT_DATABASE_URL is set

Validation

  • go test ./...
  • go test -count=1 -tags=integration ./store/postgres ./testkit/internal/store/postgres ./testkit/internal/authflow
  • moon run root:check --summary minimal
  • runtime smoke on http://localhost:18080 for login, token exchange, authenticated new-paste page, and paste creation

@kusari-inspector
Copy link
Copy Markdown

kusari-inspector Bot commented May 14, 2026
edited
Loading

Kusari Inspector

Kusari Analysis Results:

Proceed with these changes

✅ No Flagged Issues Detected
All values appear to be within acceptable risk parameters.

Both dependency and code analyses returned clean results. (1) Dependency Analysis: No pinned version dependency changes were detected, presenting no dependency-related security concerns. (2) Code Analysis: All medium-severity scanner findings were confirmed as false positives upon manual review. CSRF protection is properly implemented in Go templates via csrf.go and hidden token inputs in both login.html and new.html. The flagged open redirect at handlers.go:147 uses a database-generated ID rather than user-supplied input and is not exploitable. Both XSS findings are non-issues: one write uses plainContentType preventing browser HTML interpretation, and the other uses Go's html/template package with automatic escaping via a buffered rendering pattern. Low-severity cookie Secure flag findings are excluded per policy. No secrets or workflow issues were detected. The combined risk profile presents no actionable security concerns blocking this PR.

Note

View full detailed analysis result for more information on the output and the checks that were run.

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 7405c8f, performed at: 2026-05-14T21:16:24Z

Found this helpful? Give it a 👍 or 👎 reaction!

kusari-inspector[bot]
kusari-inspector Bot reviewed May 14, 2026
View reviewed changes
Comment thread testkit/internal/httpui/templates/login.html
<p class="error" role="alert">{{.Error}}</p>
{{end}}

<form class="paste-form auth-form" method="post" action="/auth/token">
Copy link
Copy Markdown

@kusari-inspector kusari-inspector Bot May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: The login form is missing a CSRF token. Implement a CSRF token mechanism in your Go HTTP handlers (e.g., using the gorilla/csrf middleware or a custom implementation) and embed the token in the form.

Recommended Code Changes:

<form class="paste-form auth-form" method="post" action="/auth/token">
  <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
  <label>
    API token
    <input name="api_token" type="password" required autofocus autocomplete="off">
  </label>
  <button type="submit">Continue</button>
</form>

kusari-inspector[bot]
kusari-inspector Bot reviewed May 14, 2026
View reviewed changes
Comment thread testkit/internal/httpui/templates/new.html
<p class="error" role="alert">{{.Error}}</p>
{{end}}

<form class="paste-form" method="post" action="/pastes">
Copy link
Copy Markdown

@kusari-inspector kusari-inspector Bot May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: The paste creation form is missing a CSRF token. Add a hidden CSRF token field and validate it server-side on POST requests.

Recommended Code Changes:

<form class="paste-form" method="post" action="/pastes">
  <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
  <label>
    Title
    <input name="title" value="{{.Form.Title}}" maxlength="120" autocomplete="off">
  </label>

@jmgilman jmgilman force-pushed the session-026/testkit-open-pastebin branch from ef85330 to 7405c8f Compare May 14, 2026 21:15
@kusari-inspector
Copy link
Copy Markdown

kusari-inspector Bot commented May 14, 2026

Kusari PR Analysis rerun based on - 7405c8f performed at: 2026-05-14T21:16:53Z - link to updated analysis

@jmgilman jmgilman marked this pull request as ready for review May 14, 2026 21:20
@jmgilman jmgilman merged commit 940506c into master May 14, 2026
2 checks passed
@jmgilman jmgilman deleted the session-026/testkit-open-pastebin branch May 14, 2026 21:21
@meigma-release-please meigma-release-please Bot mentioned this pull request May 14, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kusari-inspector kusari-inspector[bot] kusari-inspector[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jmgilman