feat: SMTP full ENV override, password reset flow, and E2E email testing

- SMTP: SMTP_HOST/PORT/USER/FROM/TLS now all have ENV override support (previously only SMTP_PASSWORD was env-aware). ENV takes priority over DB. - docker-compose.yml: forward all SMTP_* env vars to app container + add Mailhog service (ports 1025 SMTP / 8025 HTTP, always available in dev) - Password reset: PasswordResetToken Prisma model + authRouter with requestPasswordReset (timing-safe, no email enumeration) + resetPassword - UI: /auth/forgot-password, /auth/reset-password/[token] pages + "Forgot password?" link on sign-in page - E2E: Mailhog helpers (getLatestEmailTo, clearMailhog, extractUrlFromEmail) + invite-flow.spec.ts + password-reset.spec.ts Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-02 08:55:39 +02:00
parent e5ecea81c5
commit fceceeee4b
14 changed files with 1030 additions and 11 deletions
@@ -39,6 +39,81 @@ export async function signOut(page: Page) {
  await page.waitForURL(/\/auth\/signin/, { timeout: 10000 });
 }

+// ── Mailhog helpers ────────────────────────────────────────────────────────────
+
+const MAILHOG_API = process.env["MAILHOG_API"] ?? "http://localhost:8025";
+
+type MailhogMessage = {
+  Content: {
+    Headers: { Subject?: string[]; To?: string[] };
+    Body: string;
+  };
+  MIME: { Parts?: Array<{ Headers: { "Content-Type"?: string[] }; Body: string }> } | null;
+};
+
+type MailhogResponse = {
+  count: number;
+  items: MailhogMessage[];
+};
+
+/** Delete all messages in Mailhog (call in beforeEach to prevent cross-test contamination). */
+export async function clearMailhog(): Promise<void> {
+  await fetch(`${MAILHOG_API}/api/v1/messages`, { method: "DELETE" });
+}
+
+/**
+ * Poll Mailhog until a message to `address` appears. Returns the message.
+ * Throws after `timeoutMs` if no matching message is found.
+ */
+export async function getLatestEmailTo(
+  address: string,
+  { timeoutMs = 10_000, pollIntervalMs = 500 }: { timeoutMs?: number; pollIntervalMs?: number } = {},
+): Promise<{ subject: string; body: string; html: string }> {
+  const deadline = Date.now() + timeoutMs;
+
+  while (Date.now() < deadline) {
+    const res = await fetch(`${MAILHOG_API}/api/v2/messages?limit=50`);
+    if (res.ok) {
+      const data = (await res.json()) as MailhogResponse;
+      const match = data.items.find((msg) => {
+        const to = msg.Content.Headers.To ?? [];
+        return to.some((t) => t.toLowerCase().includes(address.toLowerCase()));
+      });
+
+      if (match) {
+        const subject = (match.Content.Headers.Subject ?? [])[0] ?? "";
+        const htmlPart = match.MIME?.Parts?.find((p) =>
+          (p.Headers["Content-Type"]?.[0] ?? "").includes("text/html"),
+        );
+        const html = htmlPart?.Body ?? match.Content.Body;
+        return { subject, body: match.Content.Body, html };
+      }
+    }
+
+    await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
+  }
+
+  throw new Error(`No email to "${address}" found within ${timeoutMs}ms`);
+}
+
+/**
+ * Extract a URL from email body/html matching a path prefix.
+ * e.g. extractUrlFromEmail(email, "/invite/") → "http://localhost:3100/invite/abc123"
+ */
+export function extractUrlFromEmail(
+  email: { body: string; html: string },
+  pathPrefix: string,
+): string {
+  const text = email.html || email.body;
+  const match = text.match(new RegExp(`https?://[^\\s"'<>]*${pathPrefix.replace("/", "\\/")}[^\\s"'<>]*`));
+  if (!match?.[0]) {
+    throw new Error(`No URL with prefix "${pathPrefix}" found in email`);
+  }
+  return match[0];
+}
+
+// ── tRPC helpers ───────────────────────────────────────────────────────────────
+
 /**
 * Intercept all tRPC batch responses and assert none return HTTP 401.
 * Returns a list of intercepted tRPC paths that were called.