- Replaced dialog-based user creation with API calls for better reliability and speed.
- Added functions for resetting security state and retrieving authentication tokens.
- Improved audit log checks by implementing polling for asynchronous data retrieval.
- Enhanced role assignment and user management tests to utilize API endpoints.
- Streamlined login processes and error handling for failed login attempts.
- Ensured unique user data generation for test isolation.
- Implemented SystemPermissionsHandler to check and repair file permissions.
- Added endpoints for retrieving and repairing permissions.
- Introduced utility functions for permission checks and error mapping.
- Created tests for the new handler and utility functions.
- Updated routes to include the new permissions endpoints.
- Enhanced configuration to support new logging and plugin directories.
- Mocked `getNotifications` and `checkUpdates` in `Layout.test.tsx`
- Prevents `UND_ERR_INVALID_ARG` errors caused by unmocked `undici` network requests in JSDOM
- Ensures clean test execution for `Layout` and child components
- Updated error variable names for clarity in DNS provider, import, logs, manual challenge, security, user, and other handlers.
- Improved error handling in services such as backup, credential, docker, mail, notification, security headers, and uptime services.
- Enhanced readability by using more descriptive variable names for errors in multiple locations across the codebase.
- Ensured consistent error handling practices throughout the application.
- Updated design documentation to reflect the new Playwright-first approach for frontend testing, including orchestration flow and runbook notes.
- Revised requirements to align with the new frontend test iteration strategy, emphasizing E2E environment management and coverage thresholds.
- Expanded tasks to outline phased implementation for frontend testing, including Playwright E2E baseline, backend triage, and coverage validation.
- Enhanced QA report to capture frontend coverage failures and type errors, with detailed remediation steps for accessibility compliance.
- Created new security validation and accessibility remediation reports for CrowdSec configuration, addressing identified issues and implementing fixes.
- Adjusted package.json scripts to prioritize Firefox for Playwright tests.
- Added canonical links for requirements and tasks documentation.
- Updated `crowdsec_handler.go` to log inaccessible paths during config export and handle permission errors gracefully.
- Modified `emergency_handler.go` to clear admin whitelist during security reset and ensure proper updates to security configurations.
- Enhanced user password update functionality in `user_handler.go` to reset failed login attempts and lockout status.
- Introduced rate limiting middleware in `cerberus` to manage request rates and prevent abuse, with comprehensive tests for various scenarios.
- Added validation for proxy host entries in `proxyhost_service.go` to ensure valid hostnames and IP addresses, including tests for various cases.
- Improved IP matching logic in `whitelist.go` to support both IPv4 and IPv6 loopback addresses.
- Updated configuration loading in `config.go` to include rate limiting parameters from environment variables.
- Added tests for new functionalities and validations to ensure robustness and reliability.
- Implemented `getCrowdsecKeyStatus` API call to retrieve the current status of the CrowdSec API key.
- Created `CrowdSecKeyWarning` component to display warnings when the API key is rejected.
- Integrated `CrowdSecKeyWarning` into the Security page, ensuring it only shows when relevant.
- Updated i18n initialization in main.tsx to prevent race conditions during rendering.
- Enhanced authentication setup in tests to handle various response statuses more robustly.
- Adjusted security tests to accept broader error responses for import validation.
Replace name-based bouncer validation with actual LAPI authentication
testing. The previous implementation checked if a bouncer NAME existed
but never validated if the API KEY was accepted by CrowdSec LAPI.
Key changes:
- Add testKeyAgainstLAPI() with real HTTP authentication against
/v1/decisions/stream endpoint
- Implement exponential backoff retry (500ms → 5s cap) for transient
connection errors while failing fast on 403 authentication failures
- Add mutex protection to prevent concurrent registration race conditions
- Use atomic file writes (temp → rename) for key persistence
- Mask API keys in all log output (CWE-312 compliance)
Breaking behavior: Invalid env var keys now auto-recover by registering
a new bouncer instead of failing silently with stale credentials.
Includes temporary acceptance of 7 Debian HIGH CVEs with documented
mitigation plan (Alpine migration in progress - issue #631).
- Implemented CrowdSecBouncerKeyDisplay component to fetch and display the bouncer API key information.
- Added loading skeletons and error handling for API requests.
- Integrated the new component into the Security page, conditionally rendering it based on CrowdSec status.
- Created unit tests for the CrowdSecBouncerKeyDisplay component, covering various states including loading, registered/unregistered bouncer, and no key configured.
- Added functional tests for the Security page to ensure proper rendering of the CrowdSec Bouncer Key Display based on the CrowdSec status.
- Updated translation files to include new keys related to the bouncer API key functionality.
- Implemented `diagnose-crowdsec.sh` script for checking CrowdSec connectivity and configuration.
- Added E2E tests for CrowdSec console enrollment, including API checks for enrollment status, diagnostics connectivity, and configuration validation.
- Created E2E tests for CrowdSec diagnostics, covering configuration file validation, connectivity checks, and configuration export.
The break glass recovery test was calling GET /api/v1/config which
doesn't exist (only PATCH is supported). Changed to use
GET /api/v1/security/config and updated the response body accessor
from body.security?.admin_whitelist to body.config?.admin_whitelist.
Also switched to Playwright's toBeOK() assertion for better error
messages on failure.
