Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
dda049075fff72dc578c0215c660fc51f733be1b
CapaKraken/apps/web/e2e/dev-system/helpers.ts
T
Hartmut bfdf0a82da security/platform: close audit findings #19–#26 
Tests, CSP nonce middleware, SSRF guard, perf-route hardening,
Docker env isolation, migration runbook, RBAC E2E coverage.

Tickets resolved:
- #19: MfaSetup.test.ts — static source tests confirming local QR rendering
- #20: ssrf-guard.test.ts (16 tests) + webhook-procedure-support mock fix
- #21: /api/perf route.test.ts (5 tests) — header-only auth, fail-closed
- #22: middleware.ts (nonce-based CSP) + middleware.test.ts (6 tests);
       layout.tsx async + nonce prop; CSP removed from next.config.ts
- #23: Active-session registry enforcement verified (already in codebase)
- #24: docker-compose.yml REDIS_URL hardcoded (no host-env substitution)
- #25: docker-compose.yml REDIS_URL + docs/developer-runbook.md created
- #26: e2e/dev-system/rbac-data-access.spec.ts (12 tests, 3 roles × 4 procedures)

Quality gates: tsc clean, api 1447/1447, web 189/189 passing.
Turbo concurrency capped at 2 (package.json) to prevent OOM under
parallel test runs.

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 22:14:20 +02:00

64 lines
2.4 KiB
TypeScript
Raw Blame History

import { expect, type Page } from "@playwright/test";
/** Dev-system credentials — these exist in the planarchy.dev seed data */
export const DEV_USERS = {
admin: { email: "admin@planarchy.dev", password: "admin123" },
manager: { email: "manager@planarchy.dev", password: "manager123" },
viewer: { email: "viewer@planarchy.dev", password: "viewer123" },
} as const;
export async function signIn(page: Page, email: string, password: string) {
await page.goto("/auth/signin");
await page.fill('input[type="email"]', email);
await page.fill('input[type="password"]', password);
await page.click('button[type="submit"]');
await expect(page).toHaveURL(/\/(dashboard|resources)/, { timeout: 15000 });
}
export async function signOut(page: Page) {
// next-auth/react signOut() POSTs to /auth/signout with a CSRF token.
// There is no GET-accessible signout page in this app (/auth/signout returns 404).
// Replicate what the client-side signOut() function does:
// 1. Fetch the CSRF token from /auth/csrf
// 2. POST to /auth/signout with that token
// 3. Follow the redirect to /auth/signin
await page.goto("/dashboard"); // land on any authenticated page for cookie context
await page.evaluate(async () => {
const csrfRes = await fetch("/api/auth/csrf");
const { csrfToken } = await csrfRes.json() as { csrfToken: string };
await fetch("/api/auth/signout", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: new URLSearchParams({ csrfToken, callbackUrl: "/auth/signin", json: "true" }),
redirect: "follow",
});
});
// After the POST clears the session cookie, navigating to a protected route
// should redirect to sign-in.
await page.goto("/dashboard");
await page.waitForURL(/\/auth\/signin/, { timeout: 10000 });
}
/**
* Intercept all tRPC batch responses and assert none return HTTP 401.
* Returns a list of intercepted tRPC paths that were called.
*/
export async function assertNoTrpc401s(page: Page, action: () => Promise<void>) {
const failures: string[] = [];
page.on("response", (response) => {
if (response.url().includes("/api/trpc/") && response.status() === 401) {
const url = new URL(response.url());
failures.push(url.pathname + url.search.slice(0, 80));
}
});
await action();
if (failures.length > 0) {
throw new Error(
`tRPC 401 responses detected (session registry / auth broken):\n${failures.join("\n")}`,
);
}
}
Reference in New Issue View Git Blame Copy Permalink