test: full test suite (Vitest + pgTAP + Playwright) + TDD plan restructure
Add a 4-layer test stack covering RLS, triggers, and UI flows for Fases 0–2a, then restructure every plan file so future fases start with tests and end with a verification gate. Test suite - packages/test-utils: Vitest integration tests signing HS256 JWTs via jose so each test acts as a specific seed user (createClientAs + createAdminClient) - supabase/tests: pgTAP for accept_invitation(), item_frequency trigger, and promote-on-admin-leave; each file self-installs pgtap extension - apps/web/tests: Playwright E2E with live Keycloak login per test (storageState caching doesn't rehydrate Supabase's session state reliably) - just test-all chains the three suites; test-db forwards POSTGRES_PASSWORD as PGPASSWORD with ON_ERROR_STOP=1 so failures abort the chain Supabase auth gotcha - PostgREST queries inside onAuthStateChange deadlock on GoTrue's navigator.locks auth lock (getAccessToken → getSession → initializePromise waits on the same lock that's held during event dispatch). Fix is two defenses: a pass-through lock in $lib/supabase, and a setTimeout(0) defer in root +layout.svelte to push loadUserCollectives out of the callback's microtask chain. Either alone is insufficient; both together unblock the Playwright suite. Env key rotation - apps/web/.env.development had a stale demo anon key signed with a different secret than root .env; Vite inlined that into the browser bundle so Kong (which uses the root .env value) rejected every request with 401. Aligned the two files and added a memory entry to flag this for the next rotation. Plan restructure (TDD) - Every fase now opens with X.0 Tests primero and closes with X.Z Verificación final. Completed fases (0, 1, 2a) show the pattern retroactively with the tests that currently cover them; pending fases (2b, 3, 4) list the tests to write before implementation. Docs - CLAUDE.md status line reports 54 + 12 + 15 = 81 green tests, adds gotchas #11 (auth-lock deadlock) and #12 (no storageState caching) - README.md adds a TDD methodology section and the test-all command - .gitignore excludes Playwright's generated reports and auth state 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
56
apps/web/tests/e2e/auth.test.ts
Normal file
56
apps/web/tests/e2e/auth.test.ts
Normal file
@@ -0,0 +1,56 @@
|
||||
/**
|
||||
* A-series: Auth flows — login, logout, route protection, role visibility.
|
||||
*
|
||||
* Uses live Keycloak login per test (see fixtures/login.ts). The passthrough
|
||||
* lock in `$lib/supabase` is required for queries to resolve in headless
|
||||
* Chromium — see the comment there for details.
|
||||
*/
|
||||
import { test, expect } from '@playwright/test';
|
||||
import { USERS, COLLECTIVE_NAME, KEYCLOAK_REALM } from '../fixtures/users.js';
|
||||
import { loginAs } from '../fixtures/login.js';
|
||||
|
||||
test.describe('Auth — login and route protection', () => {
|
||||
test('A-01: unauthenticated user is redirected to Keycloak', async ({ page }) => {
|
||||
await page.goto('/lists');
|
||||
await expect(page).toHaveURL(
|
||||
new RegExp(`realms/${KEYCLOAK_REALM}/protocol/openid-connect/auth`),
|
||||
{ timeout: 10_000 }
|
||||
);
|
||||
});
|
||||
|
||||
test('A-02: Ana can log in and reach the app', async ({ page }) => {
|
||||
await loginAs(page, USERS.ana);
|
||||
await expect(page.locator('body')).not.toContainText('Error');
|
||||
});
|
||||
|
||||
test('A-04: Ana sees the collective name in the sidebar', async ({ page }) => {
|
||||
await loginAs(page, USERS.ana);
|
||||
await page.goto('/lists');
|
||||
// Sidebar button label includes both the emoji and the collective name
|
||||
await expect(
|
||||
page.getByRole('button', { name: new RegExp(COLLECTIVE_NAME) })
|
||||
).toBeVisible({ timeout: 15_000 });
|
||||
});
|
||||
|
||||
test('A-05: Ana can sign out', async ({ page }) => {
|
||||
await loginAs(page, USERS.ana);
|
||||
await page.goto('/settings');
|
||||
|
||||
const signOutButton = page.getByRole('button', { name: /sign out|cerrar sesión/i });
|
||||
await expect(signOutButton).toBeVisible({ timeout: 10_000 });
|
||||
await signOutButton.click();
|
||||
|
||||
// After sign out, the session is cleared. The (app) layout's auth effect
|
||||
// will redirect back to Keycloak for re-auth (SSO still active there), so
|
||||
// we end up somewhere other than /settings. We just verify we left.
|
||||
await expect(page).not.toHaveURL(/\/settings/, { timeout: 15_000 });
|
||||
});
|
||||
|
||||
test('A-06: David (guest) can log in and see the collective', async ({ page }) => {
|
||||
await loginAs(page, USERS.david);
|
||||
await page.goto('/lists');
|
||||
await expect(
|
||||
page.getByRole('button', { name: new RegExp(COLLECTIVE_NAME) })
|
||||
).toBeVisible({ timeout: 15_000 });
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user