test: full test suite (Vitest + pgTAP + Playwright) + TDD plan restructure
Add a 4-layer test stack covering RLS, triggers, and UI flows for Fases 0–2a, then restructure every plan file so future fases start with tests and end with a verification gate. Test suite - packages/test-utils: Vitest integration tests signing HS256 JWTs via jose so each test acts as a specific seed user (createClientAs + createAdminClient) - supabase/tests: pgTAP for accept_invitation(), item_frequency trigger, and promote-on-admin-leave; each file self-installs pgtap extension - apps/web/tests: Playwright E2E with live Keycloak login per test (storageState caching doesn't rehydrate Supabase's session state reliably) - just test-all chains the three suites; test-db forwards POSTGRES_PASSWORD as PGPASSWORD with ON_ERROR_STOP=1 so failures abort the chain Supabase auth gotcha - PostgREST queries inside onAuthStateChange deadlock on GoTrue's navigator.locks auth lock (getAccessToken → getSession → initializePromise waits on the same lock that's held during event dispatch). Fix is two defenses: a pass-through lock in $lib/supabase, and a setTimeout(0) defer in root +layout.svelte to push loadUserCollectives out of the callback's microtask chain. Either alone is insufficient; both together unblock the Playwright suite. Env key rotation - apps/web/.env.development had a stale demo anon key signed with a different secret than root .env; Vite inlined that into the browser bundle so Kong (which uses the root .env value) rejected every request with 401. Aligned the two files and added a memory entry to flag this for the next rotation. Plan restructure (TDD) - Every fase now opens with X.0 Tests primero and closes with X.Z Verificación final. Completed fases (0, 1, 2a) show the pattern retroactively with the tests that currently cover them; pending fases (2b, 3, 4) list the tests to write before implementation. Docs - CLAUDE.md status line reports 54 + 12 + 15 = 81 green tests, adds gotchas #11 (auth-lock deadlock) and #12 (no storageState caching) - README.md adds a TDD methodology section and the test-all command - .gitignore excludes Playwright's generated reports and auth state 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -4,6 +4,21 @@ import type { Database } from '@colectivo/types';
|
||||
|
||||
let supabase: SupabaseClient<Database> | null = null;
|
||||
|
||||
/**
|
||||
* GoTrue's default lock uses `navigator.locks.request()`. In Playwright's
|
||||
* headless Chromium, a lock acquired in one page context can fail to release
|
||||
* after navigation, so every subsequent `supabase.from(...).select()` hangs on
|
||||
* `getAccessToken() -> getSession()` which awaits `initializePromise` which
|
||||
* awaits the never-resolved lock. A pass-through lock is safe here because
|
||||
* we're a single-tab PWA (no cross-tab coordination needed) and BroadcastChannel
|
||||
* handles multi-tab sync independently.
|
||||
*/
|
||||
const passThroughLock = async <R>(
|
||||
_name: string,
|
||||
_acquireTimeout: number,
|
||||
fn: () => Promise<R>
|
||||
): Promise<R> => fn();
|
||||
|
||||
export function getSupabase(): SupabaseClient<Database> {
|
||||
if (!supabase) {
|
||||
supabase = createClient<Database>(PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY, {
|
||||
@@ -14,7 +29,8 @@ export function getSupabase(): SupabaseClient<Database> {
|
||||
// exchangeCodeForSession so there is only one code-exchange attempt.
|
||||
detectSessionInUrl: false,
|
||||
// PKCE flow — required for SPA/PWA OAuth
|
||||
flowType: 'pkce'
|
||||
flowType: 'pkce',
|
||||
lock: passThroughLock
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
@@ -14,28 +14,32 @@
|
||||
|
||||
const {
|
||||
data: { subscription }
|
||||
} = supabase.auth.onAuthStateChange(async (event, session) => {
|
||||
} = supabase.auth.onAuthStateChange((event, session) => {
|
||||
currentUser.set(session?.user ?? null);
|
||||
authLoading.set(false);
|
||||
|
||||
if (session) {
|
||||
// Load collectives on every auth event that provides a session:
|
||||
// INITIAL_SESSION (page refresh), SIGNED_IN (post-login), TOKEN_REFRESHED.
|
||||
await loadUserCollectives(session.user.id);
|
||||
// Defer out of the onAuthStateChange callback so the internal auth
|
||||
// lock is fully released before we make any PostgREST query.
|
||||
// Without this, queries hang on `getAccessToken() -> initializePromise`
|
||||
// in some browser environments (e.g. Playwright headless Chromium).
|
||||
setTimeout(async () => {
|
||||
await loadUserCollectives(session.user.id);
|
||||
|
||||
if (event === 'SIGNED_IN') {
|
||||
// Post-login: send the user where they belong.
|
||||
// Only redirect when coming from the callback or the root — not on
|
||||
// token refreshes or when the user is already on a real route.
|
||||
const path = $page.url.pathname;
|
||||
if (path === '/auth/callback' || path === '/') {
|
||||
if ($userCollectives.length === 0) {
|
||||
goto('/onboarding');
|
||||
} else {
|
||||
goto('/lists');
|
||||
if (event === 'SIGNED_IN') {
|
||||
// Post-login: send the user where they belong.
|
||||
// Only redirect when coming from the callback or the root — not on
|
||||
// token refreshes or when the user is already on a real route.
|
||||
const path = $page.url.pathname;
|
||||
if (path === '/auth/callback' || path === '/') {
|
||||
if ($userCollectives.length === 0) {
|
||||
goto('/onboarding');
|
||||
} else {
|
||||
goto('/lists');
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}, 0);
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
Reference in New Issue
Block a user