From 7202ec6d517d7998f7b5b0b619bec16e564a3449 Mon Sep 17 00:00:00 2001 From: cekapitan <162815519+cekapitan@users.noreply.github.com> Date: Sun, 21 Dec 2025 12:15:49 -0500 Subject: [PATCH 01/10] adding small changes --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index c2bec0368b7..325c48976f5 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # learn-cicd-starter (Notely) +More to come later + This repo contains the starter code for the "Notely" application for the "Learn CICD" course on [Boot.dev](https://boot.dev). ## Local Development From f1363c4851884a8ad3cf4e6d8ad0b9621fbfa49a Mon Sep 17 00:00:00 2001 From: cekapitan <162815519+cekapitan@users.noreply.github.com> Date: Sun, 21 Dec 2025 12:25:30 -0500 Subject: [PATCH 02/10] adding first actions --- .github/workflows/ci.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000000..249cc5258a3 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,22 @@ +name: ci + +on: + pull_request: + branches: [main] + +jobs: + tests: + name: Tests + runs-on: ubuntu-latest + + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: "1.25.1" + + - name: Force Failure + run: (exit 1) From 4c3699de49a64953708bd717ceeee0cd1cc43906 Mon Sep 17 00:00:00 2001 From: cekapitan <162815519+cekapitan@users.noreply.github.com> Date: Sun, 21 Dec 2025 14:12:23 -0500 Subject: [PATCH 03/10] Implement initial action handlers --- internal/auth/auth_test.go | 130 +++++++++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 internal/auth/auth_test.go diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go new file mode 100644 index 00000000000..1eefc6d7012 --- /dev/null +++ b/internal/auth/auth_test.go @@ -0,0 +1,130 @@ +package auth + +import ( + "errors" + "net/http" + "testing" +) + +func TestGetAPIKey(t *testing.T) { + tests := []struct { + name string + headers http.Header + expectedKey string + expectedError error + expectedErrMsg string + }{ + { + name: "missing authorization header", + headers: http.Header{}, + expectedKey: "", + expectedError: ErrNoAuthHeaderIncluded, + }, + { + name: "empty authorization header", + headers: http.Header{ + "Authorization": []string{""}, + }, + expectedKey: "", + expectedError: ErrNoAuthHeaderIncluded, + }, + { + name: "valid ApiKey header", + headers: http.Header{ + "Authorization": []string{"ApiKey test-api-key-123"}, + }, + expectedKey: "test-api-key-123", + expectedError: nil, + }, + { + name: "valid ApiKey header with long key", + headers: http.Header{ + "Authorization": []string{"ApiKey very-long-api-key-with-many-characters-123456789"}, + }, + expectedKey: "very-long-api-key-with-many-characters-123456789", + expectedError: nil, + }, + { + name: "malformed header - wrong prefix", + headers: http.Header{ + "Authorization": []string{"Bearer token123"}, + }, + expectedKey: "", + expectedErrMsg: "malformed authorization header", + }, + { + name: "malformed header - missing space", + headers: http.Header{ + "Authorization": []string{"ApiKeytest-key"}, + }, + expectedKey: "", + expectedErrMsg: "malformed authorization header", + }, + { + name: "malformed header - only prefix", + headers: http.Header{ + "Authorization": []string{"ApiKey"}, + }, + expectedKey: "", + expectedErrMsg: "malformed authorization header", + }, + { + name: "ApiKey prefix with trailing space returns empty key", + headers: http.Header{ + "Authorization": []string{"ApiKey "}, + }, + expectedKey: "", + expectedError: nil, + }, + { + name: "ApiKey with multiple spaces returns first token only", + headers: http.Header{ + "Authorization": []string{"ApiKey key with spaces"}, + }, + expectedKey: "key", + expectedError: nil, + }, + { + name: "case sensitive ApiKey prefix", + headers: http.Header{ + "Authorization": []string{"apikey test-key"}, + }, + expectedKey: "", + expectedErrMsg: "malformed authorization header", + }, + { + name: "case sensitive ApiKey prefix - mixed case", + headers: http.Header{ + "Authorization": []string{"APIKEY test-key"}, + }, + expectedKey: "", + expectedErrMsg: "malformed authorization header", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + key, err := GetAPIKey(tt.headers) + + if key != tt.expectedKey { + t.Errorf("expected key %q, got %q", tt.expectedKey, key) + } + + if tt.expectedError != nil { + if !errors.Is(err, tt.expectedError) { + t.Errorf("expected error %v, got %v", tt.expectedError, err) + } + } else if tt.expectedErrMsg != "" { + if err == nil { + t.Errorf("expected error with message %q, got nil", tt.expectedErrMsg) + } else if err.Error() != tt.expectedErrMsg { + t.Errorf("expected error message %q, got %q", tt.expectedErrMsg, err.Error()) + } + } else { + if err != nil { + t.Errorf("expected no error, got %v", err) + } + } + }) + } +} From 8745f426b6fb41efeafd6e0469bc988ae4a4ef82 Mon Sep 17 00:00:00 2001 From: cekapitan <162815519+cekapitan@users.noreply.github.com> Date: Mon, 22 Dec 2025 00:38:30 -0500 Subject: [PATCH 04/10] fixed ci --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 249cc5258a3..018e245a149 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,4 +19,4 @@ jobs: go-version: "1.25.1" - name: Force Failure - run: (exit 1) + run: go test ./... From ee7a44fa3eeda241c6841e5c9edb80b5084e9637 Mon Sep 17 00:00:00 2001 From: cekapitan <162815519+cekapitan@users.noreply.github.com> Date: Mon, 22 Dec 2025 00:55:53 -0500 Subject: [PATCH 05/10] adding coverage --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 018e245a149..50e191eb43e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,4 +19,4 @@ jobs: go-version: "1.25.1" - name: Force Failure - run: go test ./... + run: go test ./... -cover From 83be26bc68f12444e0cb3a1b8bc778881a525cdc Mon Sep 17 00:00:00 2001 From: cekapitan <162815519+cekapitan@users.noreply.github.com> Date: Mon, 22 Dec 2025 01:18:22 -0500 Subject: [PATCH 06/10] adding badge --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 325c48976f5..d933ad271a4 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +![example workflow](https://github.com/cekapitan/learn-cicd-starter/actions/workflows/ci.yml/badge.svg) + # learn-cicd-starter (Notely) More to come later From 898c9ac88245d73fe60c56f93d26457abdff0eee Mon Sep 17 00:00:00 2001 From: cekapitan <162815519+cekapitan@users.noreply.github.com> Date: Tue, 23 Dec 2025 00:05:37 -0500 Subject: [PATCH 07/10] Separate style check into its own CI job --- .github/workflows/ci.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 50e191eb43e..c1b67f4ede9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,3 +20,19 @@ jobs: - name: Force Failure run: go test ./... -cover + + style: + name: Style + runs-on: ubuntu-latest + + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: "1.25.1" + + - name: Check formatting + run: test -z $(go fmt ./...) From 997dfa48732a8be4bef0e85e5ca9fd540f1ddfcc Mon Sep 17 00:00:00 2001 From: cekapitan <162815519+cekapitan@users.noreply.github.com> Date: Tue, 23 Dec 2025 00:14:59 -0500 Subject: [PATCH 08/10] Add staticcheck to style CI job --- .github/workflows/ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c1b67f4ede9..0c418796b4f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,3 +36,9 @@ jobs: - name: Check formatting run: test -z $(go fmt ./...) + + - name: Install staticcheck + run: go install honnef.co/go/tools/cmd/staticcheck@latest + + - name: Run staticcheck + run: staticcheck ./... From aa2ecaeddc0baf1aa85462b1490fd769a3d64aa6 Mon Sep 17 00:00:00 2001 From: cekapitan <162815519+cekapitan@users.noreply.github.com> Date: Tue, 23 Dec 2025 00:19:54 -0500 Subject: [PATCH 09/10] Add gosec security scanner to tests CI job --- .github/workflows/ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0c418796b4f..8c5a6fbf4e5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,6 +21,12 @@ jobs: - name: Force Failure run: go test ./... -cover + - name: Install gosec + run: go install github.com/securego/gosec/v2/cmd/gosec@latest + + - name: Run gosec + run: gosec ./... + style: name: Style runs-on: ubuntu-latest From de5686124c6909050823770a517f30e998b1a57e Mon Sep 17 00:00:00 2001 From: cekapitan <162815519+cekapitan@users.noreply.github.com> Date: Tue, 23 Dec 2025 00:28:47 -0500 Subject: [PATCH 10/10] Fix gosec security issues: add ReadHeaderTimeout and handle Write error --- json.go | 4 +++- main.go | 6 ++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/json.go b/json.go index 1e6e7985e18..0f8075d808a 100644 --- a/json.go +++ b/json.go @@ -30,5 +30,7 @@ func respondWithJSON(w http.ResponseWriter, code int, payload interface{}) { return } w.WriteHeader(code) - w.Write(dat) + if _, err := w.Write(dat); err != nil { + log.Printf("Error writing response: %s", err) + } } diff --git a/main.go b/main.go index 19d7366c5f7..15ee531c5dc 100644 --- a/main.go +++ b/main.go @@ -7,6 +7,7 @@ import ( "log" "net/http" "os" + "time" "github.com/go-chi/chi" "github.com/go-chi/cors" @@ -89,8 +90,9 @@ func main() { router.Mount("/v1", v1Router) srv := &http.Server{ - Addr: ":" + port, - Handler: router, + Addr: ":" + port, + Handler: router, + ReadHeaderTimeout: 5 * time.Second, } log.Printf("Serving on port: %s\n", port)