CapaKraken/apps/web/e2e/dev-system/auth-session.spec.ts

/**
 * Auth & Session Registry tests — dev system
 *
 * Validates that:
 * - Login works with the dev-DB seed users
 * - After login, all tRPC calls succeed (no 401 "Session revoked")
 * - After logout, protected routes redirect to sign-in
 * - Invalid credentials are rejected
 *
 * These tests guard against regressions in the active-session registry
 * (token.sid / active_sessions table) introduced in the auth hardening work.
 */
import { expect, test } from "@playwright/test";
import { assertNoTrpc401s, DEV_USERS, signIn, signOut } from "./helpers.js";

test.describe("Auth — login / logout", () => {
  test("admin login succeeds and lands on a protected page", async ({ page }) => {
    await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);
    await expect(page).not.toHaveURL(/\/auth\/signin/);
  });

  test("manager login succeeds", async ({ page }) => {
    await signIn(page, DEV_USERS.manager.email, DEV_USERS.manager.password);
    await expect(page).not.toHaveURL(/\/auth\/signin/);
  });

  test("viewer login succeeds", async ({ page }) => {
    await signIn(page, DEV_USERS.viewer.email, DEV_USERS.viewer.password);
    await expect(page).not.toHaveURL(/\/auth\/signin/);
  });

  test("invalid credentials show an error and stay on sign-in", async ({ page }) => {
    await page.goto("/auth/signin");
    await page.fill('input[type="email"]', "nobody@example.com");
    await page.fill('input[type="password"]', "wrong");
    await page.click('button[type="submit"]');
    await expect(page).toHaveURL(/\/auth\/signin/, { timeout: 5000 });
    // Error message visible
    await expect(
      page.locator("text=/invalid|incorrect|wrong|credentials/i"),
    ).toBeVisible({ timeout: 5000 });
  });

  test("after logout, protected routes redirect to sign-in", async ({ page }) => {
    await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);
    await signOut(page);
    await page.goto("/dashboard");
    await expect(page).toHaveURL(/\/auth\/signin/, { timeout: 10000 });
  });
});

test.describe("Session registry — no tRPC 401s after login", () => {
  test("admin login produces a valid session: dashboard loads without 401s", async ({ page }) => {
    await assertNoTrpc401s(page, async () => {
      await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);
      await page.goto("/dashboard");
      await page.waitForLoadState("networkidle");
    });
  });

  test("admin navigating to /admin/users fires no 401s and loads user rows", async ({ page }) => {
    await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);

    await assertNoTrpc401s(page, async () => {
      await page.goto("/admin/users");
      await page.waitForLoadState("networkidle");
    });

    // At least one user row should be visible
    await expect(page.locator("table")).toBeVisible({ timeout: 10000 });
    await expect(page.locator("text=/planarchy\.dev|capakraken\.dev/")).toBeVisible({
      timeout: 10000,
    });
    await expect(page.locator("text=No users found")).toHaveCount(0);
  });

  test("admin navigating to /admin/system-roles fires no 401s", async ({ page }) => {
    await signIn(page, DEV_USERS.admin.email, DEV_USERS.admin.password);

    await assertNoTrpc401s(page, async () => {
      await page.goto("/admin/system-roles");
      await page.waitForLoadState("networkidle");
    });

    // Page should render something (not blank)
    await expect(page.locator("h1,h2").first()).toBeVisible({ timeout: 10000 });
  });

  test("viewer login produces a valid session: no 401s on dashboard", async ({ page }) => {
    await assertNoTrpc401s(page, async () => {
      await signIn(page, DEV_USERS.viewer.email, DEV_USERS.viewer.password);
      await page.goto("/dashboard");
      await page.waitForLoadState("networkidle");
    });
  });
});