fix: query errors with newer Grafana API

[llamafilm]

Closes #253

Bug Fixes

Extend IsDataSourceQueryRequest to match both the legacy /api/ds/query? path and the newer
/apis/query.grafana.app/<version>/namespaces/<ns>/query path used by Grafana Cloud

Tests

Add test cases for query API path matching (correct host, with port, wrong host, non-query API path)

Details

When using login-method=apikey, the kiosk intercepts browser requests via the Chrome DevTools Protocol fetch domain
to inject Authorization and Content-Type headers. The Authorization: Bearer header was added to all requests
matching the target host, but the Content-Type: application/json header was only added when the request URL contained /api/ds/query? — the legacy Grafana datasource query path.

Grafana Cloud now routes datasource queries through a Kubernetes-style API:
/apis/query.grafana.app/v0alpha1/namespaces/stacks-/query?ds_type=prometheus&requestId=...

Without the Content-Type header, the server cannot parse the POST body and returns a 400 Bad Request.

[cla-assistant]

All committers have signed the CLA.

[briangann]

Nice fix! One logic issue to flag:

Redundant second condition in new path match

pkg/kiosk/apikey_login.go:33 (in the PR diff):

return strings.Contains(rest, "/apis/query.grafana.app/") && strings.Contains(rest, "/query")

The second strings.Contains(rest, "/query") is always true when the first passes, because the literal string /apis/query.grafana.app/ already contains the substring /query. This means any path under query.grafana.app matches — not just the /query endpoint.

For example, this would incorrectly return true:

https://myorg.grafana.net/apis/query.grafana.app/v0alpha1/namespaces/stacks-123/something-else

Suggested fix — replace pkg/kiosk/apikey_login.go:33 with:

	path := strings.SplitN(rest, "?", 2)[0]

	return strings.Contains(rest, "/apis/query.grafana.app/") && strings.HasSuffix(path, "/query")

Strip the query string first, then use HasSuffix to verify the path actually ends with /query.

Suggested test — add after pkg/kiosk/apikey_login_test.go:90 (after the "not a query endpoint" block):

Convey("When request is under query.grafana.app but not a /query endpoint", func() {
    result := IsDataSourceQueryRequest(
        "https://myorg.grafana.net/apis/query.grafana.app/v0alpha1/namespaces/stacks-123/something-else",
        "https", "myorg.grafana.net",
    )
    So(result, ShouldBeFalse)
})

This test exposes the bug — without the HasSuffix fix it returns true.

Tested locally — all 11 assertions pass with these changes. Low severity since false positives are unlikely in practice, but easy to tighten up.

[briangann]

PR looks great, see the comments above to improve the code a little bit. If you don't want to make those changes right now I can open an issue and get it fixed up later.

[llamafilm]

Nice catch. FIxed!