[INS-444] Fix verification logic in Mesibo detector

[mustansir14]

Problem

The Mesibo detector was incorrectly marking unverified secrets as verified. The original implementation sent a GET request to https://api.mesibo.com/api.php?op=useradd&token=<token> and checked whether the response body contained the string "AUTHFAIL". This endpoint no longer works correctly — it now returns 502 on all requests, meaning the "AUTHFAIL" string is never present and every candidate token is marked as verified regardless of its validity. Even setting aside the broken endpoint, checking for a specific error string in the body is an unreliable verification strategy compared to inspecting a structured response field.

Fix

Switched to the current Mesibo backend API (POST https://api.mesibo.com/backend) as documented at https://docs.mesibo.com/api/backend-api/.

The backend API always returns HTTP 200. The actual outcome is encoded in the JSON response body via a code field, which contains an RFC 9110 compliant HTTP status code. We probe using the useradd operation:

• A valid token passes authentication but fails the operation due to missing required user parameters, yielding code: 400.
• An invalid or unauthorized token yields a different code (e.g. 401).

The verification logic was refactored into a dedicated verify() method that:

1. POSTs a JSON payload with op=useradd and the candidate token.
2. Checks that the HTTP status is 200, returning a verification error otherwise.
3. Parses the JSON response into a typed apiResponse struct.
4. Returns true only if code == 400.

All errors are wrapped with context using fmt.Errorf(..., %w) and surfaced via SetVerificationError.

Tests

Added a test case "found, verification error on 502" to the integration test suite using common.ConstantResponseHttpClient(502, "") to simulate an unexpected HTTP status from the API, asserting that the result is unverified and a verification error is set.

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

---

Note

Medium Risk
Changes live secret verification behavior and external API interaction; incorrect interpretation of Mesibo response codes could flip verified/unverified results, but the scope is limited to this detector and is covered by tests.

Overview
Mesibo secret verification is rewritten to use the documented backend API (POST https://api.mesibo.com/backend) and to decide validity via the JSON code field (treating 400 as auth succeeded and 401 as unverified) instead of string-matching AUTHFAIL from the deprecated api.php endpoint.

The detector now encapsulates verification in a dedicated verify() method, supports injecting an HTTP client on Scanner, and surfaces unexpected HTTP/response conditions via SetVerificationError. Integration tests are updated to use go-cmp and add coverage for a verification-error scenario (simulated 502).

^{Reviewed by Cursor Bugbot for commit 52cedea. Bugbot is set up for automated code reviews on this repo. Configure here.}

[MuneebUllahKhan222]

Just need to address this one small change. Otherwise the PR is as good as it gets.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit c8f5f59. Configure here.}