- Add getStoredAuthHeader helper that reads charon_auth_token from
localStorage and constructs an Authorization: Bearer header
- Apply the header to all page.request.* API calls in readImportStatus
and issuePendingSessionCancel
- The previous code relied on the browser cookie jar for these cleanup
API calls; with Secure=true on auth cookies, browsers refuse to send
cookies over HTTP to 127.0.0.1 (IP address, not localhost hostname)
causing silent 401s that left pending ImportSession rows in the DB
- Unreleased sessions caused all subsequent caddy-import tests to show
the pending-session banner instead of the Caddyfile textarea, failing
every test after the first
- The fix mirrors how the React app authenticates: via Authorization
header, which is transport-independent and works on both HTTP and HTTPS
- Remove the conditional secure=false branch from setSecureCookie that
allowed cookies to be issued without the Secure flag when requests
arrived over HTTP from localhost or RFC 1918 private addresses
- Pass the literal true to c.SetCookie directly, eliminating the
dataflow path that triggered CodeQL go/cookie-secure-not-set (CWE-614)
- Remove the now-dead codeql suppression comment; the root cause is
gone, not merely silenced
- Update setSecureCookie doc comment to reflect that Secure is always
true: all major browsers (Chrome 66+, Firefox 75+, Safari 14+) honour
the Secure attribute on localhost HTTP connections, and direct
HTTP-on-private-IP access without TLS is an unsupported deployment
model for Charon which is designed to sit behind Caddy TLS termination
- Update the five TestSetSecureCookie HTTP/local tests that previously
asserted Secure=false to now assert Secure=true, reflecting the
elimination of the insecure code path
- Add Secure=true assertion to TestClearSecureCookie to provide explicit
coverage of the clear-cookie path
The TCP monitor creation form showed a placeholder that instructed users to enter a URL with the tcp:// scheme prefix (e.g., tcp://192.168.1.1:8080). Following this guidance caused a silent HTTP 500 error because Go's net.SplitHostPort rejects any input containing a scheme prefix, expecting bare host:port format only.
- Corrected the urlPlaceholder translation key to remove the tcp:// prefix
- Added per-type dynamic placeholder (urlPlaceholderHttp / urlPlaceholderTcp) so the URL input shows the correct example format as soon as the user selects a monitor type
- Added per-type helper text below the URL input explaining the required format, updated in real time when the type selector changes
- Added client-side validation: typing a scheme prefix (://) in TCP mode shows an inline error and blocks form submission before the request reaches the backend
- Reordered the Create Monitor form so the type selector appears before the URL input, giving users the correct format context before they type
- Type selector onChange now clears any stale urlError to prevent incorrect error messages persisting after switching from TCP back to HTTP
- Added 5 new i18n keys across all 5 supported locales (en, de, fr, es, zh)
- Added 10 RTL unit tests covering all new validation paths including the type-change error-clear scenario
- Added 9 Playwright E2E tests covering placeholder variants, helper text, inline error lifecycle, submission blocking, and successful TCP creation
Closes #issue-5 (TCP monitor UI cannot add monitor when following placeholder)
