- Install gotestsum in CI so the coverage script uses compact
pkgname-formatted output instead of go test -v, which produces
massive verbose logs that exceed GitHub Actions' step log buffer
- Upload the full test output as a downloadable artifact on every
run (including failures) so truncated logs never block debugging
- Aligns upload-artifact pin to v7.0.0 matching the rest of the repo
- Implement DeleteCertificateDialog component to handle certificate deletion confirmation.
- Add tests for DeleteCertificateDialog covering various scenarios including rendering, confirmation, and cancellation.
- Update translation files for multiple languages to include new strings related to certificate deletion.
- Create end-to-end tests for certificate deletion UX, including button visibility, confirmation dialog, and success/failure scenarios.
- Add getStoredAuthHeader helper that reads charon_auth_token from
localStorage and constructs an Authorization: Bearer header
- Apply the header to all page.request.* API calls in readImportStatus
and issuePendingSessionCancel
- The previous code relied on the browser cookie jar for these cleanup
API calls; with Secure=true on auth cookies, browsers refuse to send
cookies over HTTP to 127.0.0.1 (IP address, not localhost hostname)
causing silent 401s that left pending ImportSession rows in the DB
- Unreleased sessions caused all subsequent caddy-import tests to show
the pending-session banner instead of the Caddyfile textarea, failing
every test after the first
- The fix mirrors how the React app authenticates: via Authorization
header, which is transport-independent and works on both HTTP and HTTPS
- Remove the conditional secure=false branch from setSecureCookie that
allowed cookies to be issued without the Secure flag when requests
arrived over HTTP from localhost or RFC 1918 private addresses
- Pass the literal true to c.SetCookie directly, eliminating the
dataflow path that triggered CodeQL go/cookie-secure-not-set (CWE-614)
- Remove the now-dead codeql suppression comment; the root cause is
gone, not merely silenced
- Update setSecureCookie doc comment to reflect that Secure is always
true: all major browsers (Chrome 66+, Firefox 75+, Safari 14+) honour
the Secure attribute on localhost HTTP connections, and direct
HTTP-on-private-IP access without TLS is an unsupported deployment
model for Charon which is designed to sit behind Caddy TLS termination
- Update the five TestSetSecureCookie HTTP/local tests that previously
asserted Secure=false to now assert Secure=true, reflecting the
elimination of the insecure code path
- Add Secure=true assertion to TestClearSecureCookie to provide explicit
coverage of the clear-cookie path
GitHub Actions
Jeremy
renovate[bot]