/** * E2E — Password reset flow * * Requires: * - Dev server running on http://localhost:3100 * - Mailhog running on http://localhost:8025 * - SMTP_HOST=mailhog (or localhost), SMTP_PORT=1025, SMTP_TLS=false configured * * Uses a dedicated test user "reset-test@planarchy.dev" (Dev123456!) that * exists in the dev seed. This avoids modifying shared admin/manager/viewer * credentials that other E2E tests depend on. * * Flow: * 1. Request password reset for reset-test@planarchy.dev * 2. Read reset email from Mailhog * 3. Visit reset link → enter new password * 4. Sign in with new password → land on dashboard * 5. (Cleanup) Reset the password back to Dev123456! */ import { expect, test } from "@playwright/test"; import { clearMailhog, extractUrlFromEmail, getLatestEmailTo, signIn } from "./helpers.js"; const RESET_USER = { email: "reset-test@planarchy.dev", originalPassword: "Dev123456!" }; const NEW_PASSWORD = "ResetPass456!"; test.describe("password reset flow", () => { // No storageState — these tests exercise the unauthenticated flow test("user can reset password via email link", async ({ page }) => { await clearMailhog(); // Step 1: Navigate to forgot-password page await page.goto("/auth/forgot-password"); await page.fill('input[type="email"]', RESET_USER.email); await page.click('button[type="submit"]'); // Step 2: Confirm the "check your email" state is shown await expect(page.locator("text=Check your email")).toBeVisible({ timeout: 10_000 }); // Step 3: Read reset email from Mailhog const email = await getLatestEmailTo(RESET_USER.email, { timeoutMs: 15_000 }); expect(email.subject).toMatch(/reset/i); const resetUrl = extractUrlFromEmail(email, "/auth/reset-password/"); const resetPath = new URL(resetUrl).pathname; // Step 4: Visit reset link await page.goto(resetPath); await expect(page.locator("text=Set a new password")).toBeVisible({ timeout: 10_000 }); // Step 5: Set new password const passwordInputs = page.locator('input[type="password"]'); await passwordInputs.nth(0).fill(NEW_PASSWORD); await passwordInputs.nth(1).fill(NEW_PASSWORD); await page.click('button[type="submit"]'); // Password updated state await expect(page.locator("text=Password updated")).toBeVisible({ timeout: 15_000 }); // Step 6: Sign in with new password await page.click('button:has-text("Go to sign in")'); await page.waitForURL(/\/auth\/signin/); await signIn(page, RESET_USER.email, NEW_PASSWORD); await page.waitForURL(/\/(dashboard|resources)/, { timeout: 15_000 }); // Step 7: Cleanup — reset password back to original so next test run works await clearMailhog(); await page.goto("/auth/forgot-password"); await page.fill('input[type="email"]', RESET_USER.email); await page.click('button[type="submit"]'); await expect(page.locator("text=Check your email")).toBeVisible({ timeout: 10_000 }); const cleanupEmail = await getLatestEmailTo(RESET_USER.email, { timeoutMs: 15_000 }); const cleanupPath = new URL(extractUrlFromEmail(cleanupEmail, "/auth/reset-password/")).pathname; await page.goto(cleanupPath); await page.waitForSelector('input[type="password"]'); const cleanupInputs = page.locator('input[type="password"]'); await cleanupInputs.nth(0).fill(RESET_USER.originalPassword); await cleanupInputs.nth(1).fill(RESET_USER.originalPassword); await page.click('button[type="submit"]'); await expect(page.locator("text=Password updated")).toBeVisible({ timeout: 15_000 }); }); test("invalid reset token shows an error message", async ({ page }) => { await page.goto("/auth/reset-password/this-token-does-not-exist"); // Submit the form with a bad token await page.waitForSelector('input[type="password"]'); const inputs = page.locator('input[type="password"]'); await inputs.nth(0).fill("SomePass1!"); await inputs.nth(1).fill("SomePass1!"); await page.click('button[type="submit"]'); // Should display an error message (NOT_FOUND or BAD_REQUEST from server) await expect(page.locator('[class*="red"]').first()).toBeVisible({ timeout: 10_000 }); }); });