# Bug Report: test-user-b QA Test **Tester:** test-user-b (user role) **Date:** 2026-05-11 **Environment:** http://10.6.80.114:18080 --- ## Bug 1: Repository Tags Endpoint Returns 404 **Endpoint:** `GET /api/v1/registries/{registryId}/repositories/{repository}/tags` **Status Code:** 404 **Response Body:** `404 page not found` (plain text, not JSON) **Expected:** Should return a list of tags for the chart/artifact. **Actual:** The dedicated tags endpoint is not implemented or routes incorrectly. The artifacts endpoint (`/repositories/{repository}/artifacts`) does work and returns tag info. **Severity:** Medium — tags are still discoverable via artifacts endpoint but the dedicated tags API is broken. --- ## Bug 2: DELETE Instance Returns Empty Response Body **Endpoint:** `DELETE /api/v1/clusters/{clusterId}/instances/{instanceId}` **Status Code:** 200 **Response Body:** (empty — no content at all) **Expected:** Should return a confirmation JSON body (e.g., `{"message": "Instance deletion initiated", "id": "..."}`) or at minimum a 202 Accepted with status details. **Actual:** Returns a completely empty body. The instance does transition to `pending-delete` state, but the API consumer receives no feedback. **Severity:** Medium — operation works but API consumer gets no confirmation. --- ## Bug 3: Cluster Stats Endpoint Returns 404 **Endpoint:** `GET /api/v1/clusters/{clusterId}/stats` **Status Code:** 404 **Response Body:** `404 page not found` (plain text) **Expected:** Should return cluster resource statistics (CPU, memory, pod counts, etc.) or a proper JSON error if not implemented. **Actual:** Endpoint is not implemented — returns a raw 404 with no JSON error structure. **Severity:** Low — but given the user has `monitoring:clusters:view` permission, this is a missing feature. --- ## Bug 4: Kubeconfig Endpoint Returns 404 **Endpoint:** `GET /api/v1/clusters/{clusterId}/kubeconfig` **Status Code:** 404 **Response Body:** `404 page not found` (plain text) **Expected:** Should return a kubeconfig file content or JSON error. User has `kubeconfig:issue:own` permission. **Actual:** Endpoint is not implemented. **Severity:** Low — the permission exists but the endpoint does nothing. --- ## Bug 5: Monitoring Metrics Endpoint Returns 404 **Endpoint:** `GET /api/v1/monitoring/clusters/{clusterId}/metrics` **Status Code:** 404 **Response Body:** `404 page not found` (plain text) **Expected:** Monitoring metrics data. User has `monitoring:clusters:view` permission. **Actual:** Endpoint not found. **Severity:** Low — monitoring permissions exist but backend endpoints missing. --- ## Bug 6: Inconsistent API Response Format (Array vs Object Wrapper) **Clusters and Registries** return bare arrays: ```json [ { "id": "...", "name": "k3s", ... } ] ``` **Instances** returns an object wrapper: ```json { "instances": [ { "id": "...", "name": "test-nginx-b", ... } ], "total": 1 } ``` **Expected:** Consistent response format across all list endpoints. Either all return bare arrays or all use the `{ "items": [...], "total": N }` wrapper pattern. **Severity:** Low — API consistency issue. Makes client code harder to write generically. --- ## Bug 7: auth/me Returns Empty Token Fields **Endpoint:** `GET /api/v1/auth/me` **Response includes empty/unpopulated fields:** ```json { "accessToken": "", "refreshToken": "", ... } ``` **Expected:** Either remove these fields from the `/auth/me` response (they are only meaningful in login/refresh responses) or populate them with valid values. **Actual:** Emptry string values for both token fields create confusion about whether they should be present. **Severity:** Low — cosmetic issue, but suggests the DTO is reusing the login response struct without clearing token fields. --- ## Summary | # | Bug | Severity | Category | |---|-----|----------|----------| | 1 | Tags endpoint 404 | Medium | Missing Implementation | | 2 | DELETE returns empty body | Medium | API Response Quality | | 3 | Cluster stats endpoint 404 | Low | Missing Implementation | | 4 | Kubeconfig endpoint 404 | Low | Missing Implementation | | 5 | Monitoring metrics endpoint 404 | Low | Missing Implementation | | 6 | Inconsistent list response format | Low | API Consistency | | 7 | auth/me returns empty tokens | Low | API Response Quality | **Passed Tests:** - Login/authentication ✓ - Auth/me user info ✓ - Cluster listing ✓ - Cluster health check ✓ - Registry listing ✓ - Repository browsing (artifacts) ✓ - Instance deployment (nginx chart) ✓ - Instance status tracking (pending-install → deployed) ✓ - Instance deletion (async, transitions to pending-delete then removed) ✓ - Error handling for invalid repository ✓ - Error handling for missing required fields ✓ - Auth rejects invalid tokens ✓ - Auth rejects missing tokens ✓ - Instance cleanup confirmed ✓