Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
fceceeee4bd9f018438acc41d2739ee685ea7376
CapaKraken/apps/web/e2e/dev-system/password-reset.spec.ts
T
Hartmut fceceeee4b feat: SMTP full ENV override, password reset flow, and E2E email testing 
- SMTP: SMTP_HOST/PORT/USER/FROM/TLS now all have ENV override support
  (previously only SMTP_PASSWORD was env-aware). ENV takes priority over DB.
- docker-compose.yml: forward all SMTP_* env vars to app container + add
  Mailhog service (ports 1025 SMTP / 8025 HTTP, always available in dev)
- Password reset: PasswordResetToken Prisma model + authRouter with
  requestPasswordReset (timing-safe, no email enumeration) + resetPassword
- UI: /auth/forgot-password, /auth/reset-password/[token] pages +
  "Forgot password?" link on sign-in page
- E2E: Mailhog helpers (getLatestEmailTo, clearMailhog, extractUrlFromEmail)
  + invite-flow.spec.ts + password-reset.spec.ts

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-02 08:55:39 +02:00

100 lines
4.1 KiB
TypeScript
Raw Blame History

/**
* E2E — Password reset flow
*
* Requires:
* - Dev server running on http://localhost:3100
* - Mailhog running on http://localhost:8025
* - SMTP_HOST=mailhog (or localhost), SMTP_PORT=1025, SMTP_TLS=false configured
*
* Uses a dedicated test user "reset-test@planarchy.dev" (Dev123456!) that
* exists in the dev seed. This avoids modifying shared admin/manager/viewer
* credentials that other E2E tests depend on.
*
* Flow:
* 1. Request password reset for reset-test@planarchy.dev
* 2. Read reset email from Mailhog
* 3. Visit reset link → enter new password
* 4. Sign in with new password → land on dashboard
* 5. (Cleanup) Reset the password back to Dev123456!
*/
import { expect, test } from "@playwright/test";
import { clearMailhog, extractUrlFromEmail, getLatestEmailTo, signIn } from "./helpers.js";
const RESET_USER = { email: "reset-test@planarchy.dev", originalPassword: "Dev123456!" };
const NEW_PASSWORD = "ResetPass456!";
test.describe("password reset flow", () => {
// No storageState — these tests exercise the unauthenticated flow
test("user can reset password via email link", async ({ page }) => {
await clearMailhog();
// Step 1: Navigate to forgot-password page
await page.goto("/auth/forgot-password");
await page.fill('input[type="email"]', RESET_USER.email);
await page.click('button[type="submit"]');
// Step 2: Confirm the "check your email" state is shown
await expect(page.locator("text=Check your email")).toBeVisible({ timeout: 10_000 });
// Step 3: Read reset email from Mailhog
const email = await getLatestEmailTo(RESET_USER.email, { timeoutMs: 15_000 });
expect(email.subject).toMatch(/reset/i);
const resetUrl = extractUrlFromEmail(email, "/auth/reset-password/");
const resetPath = new URL(resetUrl).pathname;
// Step 4: Visit reset link
await page.goto(resetPath);
await expect(page.locator("text=Set a new password")).toBeVisible({ timeout: 10_000 });
// Step 5: Set new password
const passwordInputs = page.locator('input[type="password"]');
await passwordInputs.nth(0).fill(NEW_PASSWORD);
await passwordInputs.nth(1).fill(NEW_PASSWORD);
await page.click('button[type="submit"]');
// Password updated state
await expect(page.locator("text=Password updated")).toBeVisible({ timeout: 15_000 });
// Step 6: Sign in with new password
await page.click('button:has-text("Go to sign in")');
await page.waitForURL(/\/auth\/signin/);
await signIn(page, RESET_USER.email, NEW_PASSWORD);
await page.waitForURL(/\/(dashboard|resources)/, { timeout: 15_000 });
// Step 7: Cleanup — reset password back to original so next test run works
await clearMailhog();
await page.goto("/auth/forgot-password");
await page.fill('input[type="email"]', RESET_USER.email);
await page.click('button[type="submit"]');
await expect(page.locator("text=Check your email")).toBeVisible({ timeout: 10_000 });
const cleanupEmail = await getLatestEmailTo(RESET_USER.email, { timeoutMs: 15_000 });
const cleanupPath = new URL(extractUrlFromEmail(cleanupEmail, "/auth/reset-password/")).pathname;
await page.goto(cleanupPath);
await page.waitForSelector('input[type="password"]');
const cleanupInputs = page.locator('input[type="password"]');
await cleanupInputs.nth(0).fill(RESET_USER.originalPassword);
await cleanupInputs.nth(1).fill(RESET_USER.originalPassword);
await page.click('button[type="submit"]');
await expect(page.locator("text=Password updated")).toBeVisible({ timeout: 15_000 });
});
test("invalid reset token shows an error message", async ({ page }) => {
await page.goto("/auth/reset-password/this-token-does-not-exist");
// Submit the form with a bad token
await page.waitForSelector('input[type="password"]');
const inputs = page.locator('input[type="password"]');
await inputs.nth(0).fill("SomePass1!");
await inputs.nth(1).fill("SomePass1!");
await page.click('button[type="submit"]');
// Should display an error message (NOT_FOUND or BAD_REQUEST from server)
await expect(page.locator('[class*="red"]').first()).toBeVisible({ timeout: 10_000 });
});
});
Reference in New Issue View Git Blame Copy Permalink