test(e2e): fix dev-system test suite — storageState + strict-mode + signout
Fixes 8 failures from the first test run: 1. Rate limiter exhaustion (5/8 failures) Admin was logged in 9× across the suite, hitting the 5/15min auth limit. Fix: global-setup.ts logs in once per role and saves storage state; all non-login tests use storageState so they skip the form. Total admin logins per suite run: 3 (global setup + 2 explicit tests). 2. Strict-mode violations (2/8 failures) toBeVisible() matched 3 email cells / 2 permission-error nodes. Fix: .first() on both locators. 3. Auth.js v5 signout confirmation page (1/8 failures) GET /auth/signout renders a confirm form rather than immediately redirecting. Fix: signOut() helper clicks the submit button. Note: running the suite right after a previous run may fail if the in-memory rate limit hasn't reset (15-min window). Restart the dev server, or add E2E_TEST_MODE=true to apps/web/.env.local to bypass. Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
@@ -9,8 +9,14 @@
|
||||
*
|
||||
* These tests guard against regressions in the active-session registry
|
||||
* (token.sid / active_sessions table) introduced in the auth hardening work.
|
||||
*
|
||||
* Login-flow tests (describe "Auth") exercise the actual login form and count
|
||||
* against the rate limiter. Session-registry tests (describe "Session registry")
|
||||
* reuse pre-authenticated storage state from global setup to avoid rate-limit
|
||||
* exhaustion when the whole suite runs sequentially.
|
||||
*/
|
||||
import { expect, test } from "@playwright/test";
|
||||
import { STORAGE_STATE } from "../../playwright.dev.config.js";
|
||||
import { assertNoTrpc401s, DEV_USERS, signIn, signOut } from "./helpers.js";
|
||||
|
||||
test.describe("Auth — login / logout", () => {
|
||||
@@ -49,18 +55,19 @@ test.describe("Auth — login / logout", () => {
|
||||
});
|
||||
});
|
||||
|
||||
// Session-registry tests reuse stored login state so they don't add to the
|
||||
// rate-limit counter for the admin account.
|
||||
test.describe("Session registry — no tRPC 401s after login", () => {
|
||||
test("admin login produces a valid session: dashboard loads without 401s", async ({ page }) => {
|
||||
test.use({ storageState: STORAGE_STATE.admin });
|
||||
|
||||
test("admin session: dashboard loads without 401s", async ({ page }) => {
|
||||
await assertNoTrpc401s(page, async () => {
|
||||
await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);
|
||||
await page.goto("/dashboard");
|
||||
await page.waitForLoadState("networkidle");
|
||||
});
|
||||
});
|
||||
|
||||
test("admin navigating to /admin/users fires no 401s and loads user rows", async ({ page }) => {
|
||||
await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);
|
||||
|
||||
await assertNoTrpc401s(page, async () => {
|
||||
await page.goto("/admin/users");
|
||||
await page.waitForLoadState("networkidle");
|
||||
@@ -68,15 +75,13 @@ test.describe("Session registry — no tRPC 401s after login", () => {
|
||||
|
||||
// At least one user row should be visible
|
||||
await expect(page.locator("table")).toBeVisible({ timeout: 10000 });
|
||||
await expect(page.locator("text=/planarchy\.dev|capakraken\.dev/")).toBeVisible({
|
||||
await expect(page.locator("text=/planarchy\\.dev|capakraken\\.dev/").first()).toBeVisible({
|
||||
timeout: 10000,
|
||||
});
|
||||
await expect(page.locator("text=No users found")).toHaveCount(0);
|
||||
});
|
||||
|
||||
test("admin navigating to /admin/system-roles fires no 401s", async ({ page }) => {
|
||||
await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);
|
||||
|
||||
await assertNoTrpc401s(page, async () => {
|
||||
await page.goto("/admin/system-roles");
|
||||
await page.waitForLoadState("networkidle");
|
||||
@@ -86,9 +91,23 @@ test.describe("Session registry — no tRPC 401s after login", () => {
|
||||
await expect(page.locator("h1,h2").first()).toBeVisible({ timeout: 10000 });
|
||||
});
|
||||
|
||||
test("viewer login produces a valid session: no 401s on dashboard", async ({ page }) => {
|
||||
test("viewer session: no 401s on dashboard", async ({ page }) => {
|
||||
// Override admin storageState for this one test
|
||||
await page.context().clearCookies();
|
||||
// Use viewer state via a fresh context — covered separately in rbac-permissions.spec.ts
|
||||
// Here we just verify no residual 401s from a page refresh after session restore
|
||||
await assertNoTrpc401s(page, async () => {
|
||||
await page.goto("/dashboard");
|
||||
await page.waitForLoadState("networkidle");
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
test.describe("Session registry — viewer no 401s", () => {
|
||||
test.use({ storageState: STORAGE_STATE.viewer });
|
||||
|
||||
test("viewer session: dashboard loads without 401s", async ({ page }) => {
|
||||
await assertNoTrpc401s(page, async () => {
|
||||
await signIn(page, DEV_USERS.viewer.email, DEV_USERS.viewer.password);
|
||||
await page.goto("/dashboard");
|
||||
await page.waitForLoadState("networkidle");
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user