Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
security/audit-2026-04-17
CapaKraken/apps/web/e2e/dev-system/auth-session.spec.ts
T
Hartmut 8429bd86d4 test(e2e): fix dev-system test suite — storageState + strict-mode + signout 
Fixes 8 failures from the first test run:

1. Rate limiter exhaustion (5/8 failures)
   Admin was logged in 9× across the suite, hitting the 5/15min auth
   limit. Fix: global-setup.ts logs in once per role and saves storage
   state; all non-login tests use storageState so they skip the form.
   Total admin logins per suite run: 3 (global setup + 2 explicit tests).

2. Strict-mode violations (2/8 failures)
   toBeVisible() matched 3 email cells / 2 permission-error nodes.
   Fix: .first() on both locators.

3. Auth.js v5 signout confirmation page (1/8 failures)
   GET /auth/signout renders a confirm form rather than immediately
   redirecting. Fix: signOut() helper clicks the submit button.

Note: running the suite right after a previous run may fail if the
in-memory rate limit hasn't reset (15-min window). Restart the dev
server, or add E2E_TEST_MODE=true to apps/web/.env.local to bypass.

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 19:09:49 +02:00

116 lines
4.5 KiB
TypeScript
Raw Permalink Blame History

/**
* Auth & Session Registry tests — dev system
*
* Validates that:
* - Login works with the dev-DB seed users
* - After login, all tRPC calls succeed (no 401 "Session revoked")
* - After logout, protected routes redirect to sign-in
* - Invalid credentials are rejected
*
* These tests guard against regressions in the active-session registry
* (token.sid / active_sessions table) introduced in the auth hardening work.
*
* Login-flow tests (describe "Auth") exercise the actual login form and count
* against the rate limiter. Session-registry tests (describe "Session registry")
* reuse pre-authenticated storage state from global setup to avoid rate-limit
* exhaustion when the whole suite runs sequentially.
*/
import { expect, test } from "@playwright/test";
import { STORAGE_STATE } from "../../playwright.dev.config.js";
import { assertNoTrpc401s, DEV_USERS, signIn, signOut } from "./helpers.js";
test.describe("Auth — login / logout", () => {
test("admin login succeeds and lands on a protected page", async ({ page }) => {
await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);
await expect(page).not.toHaveURL(/\/auth\/signin/);
});
test("manager login succeeds", async ({ page }) => {
await signIn(page, DEV_USERS.manager.email, DEV_USERS.manager.password);
await expect(page).not.toHaveURL(/\/auth\/signin/);
});
test("viewer login succeeds", async ({ page }) => {
await signIn(page, DEV_USERS.viewer.email, DEV_USERS.viewer.password);
await expect(page).not.toHaveURL(/\/auth\/signin/);
});
test("invalid credentials show an error and stay on sign-in", async ({ page }) => {
await page.goto("/auth/signin");
await page.fill('input[type="email"]', "nobody@example.com");
await page.fill('input[type="password"]', "wrong");
await page.click('button[type="submit"]');
await expect(page).toHaveURL(/\/auth\/signin/, { timeout: 5000 });
// Error message visible
await expect(
page.locator("text=/invalid|incorrect|wrong|credentials/i"),
).toBeVisible({ timeout: 5000 });
});
test("after logout, protected routes redirect to sign-in", async ({ page }) => {
await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);
await signOut(page);
await page.goto("/dashboard");
await expect(page).toHaveURL(/\/auth\/signin/, { timeout: 10000 });
});
});
// Session-registry tests reuse stored login state so they don't add to the
// rate-limit counter for the admin account.
test.describe("Session registry — no tRPC 401s after login", () => {
test.use({ storageState: STORAGE_STATE.admin });
test("admin session: dashboard loads without 401s", async ({ page }) => {
await assertNoTrpc401s(page, async () => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
});
});
test("admin navigating to /admin/users fires no 401s and loads user rows", async ({ page }) => {
await assertNoTrpc401s(page, async () => {
await page.goto("/admin/users");
await page.waitForLoadState("networkidle");
});
// At least one user row should be visible
await expect(page.locator("table")).toBeVisible({ timeout: 10000 });
await expect(page.locator("text=/planarchy\\.dev|capakraken\\.dev/").first()).toBeVisible({
timeout: 10000,
});
await expect(page.locator("text=No users found")).toHaveCount(0);
});
test("admin navigating to /admin/system-roles fires no 401s", async ({ page }) => {
await assertNoTrpc401s(page, async () => {
await page.goto("/admin/system-roles");
await page.waitForLoadState("networkidle");
});
// Page should render something (not blank)
await expect(page.locator("h1,h2").first()).toBeVisible({ timeout: 10000 });
});
test("viewer session: no 401s on dashboard", async ({ page }) => {
// Override admin storageState for this one test
await page.context().clearCookies();
// Use viewer state via a fresh context — covered separately in rbac-permissions.spec.ts
// Here we just verify no residual 401s from a page refresh after session restore
await assertNoTrpc401s(page, async () => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
});
});
});
test.describe("Session registry — viewer no 401s", () => {
test.use({ storageState: STORAGE_STATE.viewer });
test("viewer session: dashboard loads without 401s", async ({ page }) => {
await assertNoTrpc401s(page, async () => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
});
});
});
Reference in New Issue View Git Blame Copy Permalink