test: full test suite (Vitest + pgTAP + Playwright) + TDD plan restructure
Add a 4-layer test stack covering RLS, triggers, and UI flows for Fases 0–2a, then restructure every plan file so future fases start with tests and end with a verification gate. Test suite - packages/test-utils: Vitest integration tests signing HS256 JWTs via jose so each test acts as a specific seed user (createClientAs + createAdminClient) - supabase/tests: pgTAP for accept_invitation(), item_frequency trigger, and promote-on-admin-leave; each file self-installs pgtap extension - apps/web/tests: Playwright E2E with live Keycloak login per test (storageState caching doesn't rehydrate Supabase's session state reliably) - just test-all chains the three suites; test-db forwards POSTGRES_PASSWORD as PGPASSWORD with ON_ERROR_STOP=1 so failures abort the chain Supabase auth gotcha - PostgREST queries inside onAuthStateChange deadlock on GoTrue's navigator.locks auth lock (getAccessToken → getSession → initializePromise waits on the same lock that's held during event dispatch). Fix is two defenses: a pass-through lock in $lib/supabase, and a setTimeout(0) defer in root +layout.svelte to push loadUserCollectives out of the callback's microtask chain. Either alone is insufficient; both together unblock the Playwright suite. Env key rotation - apps/web/.env.development had a stale demo anon key signed with a different secret than root .env; Vite inlined that into the browser bundle so Kong (which uses the root .env value) rejected every request with 401. Aligned the two files and added a memory entry to flag this for the next rotation. Plan restructure (TDD) - Every fase now opens with X.0 Tests primero and closes with X.Z Verificación final. Completed fases (0, 1, 2a) show the pattern retroactively with the tests that currently cover them; pending fases (2b, 3, 4) list the tests to write before implementation. Docs - CLAUDE.md status line reports 54 + 12 + 15 = 81 green tests, adds gotchas #11 (auth-lock deadlock) and #12 (no storageState caching) - README.md adds a TDD methodology section and the test-all command - .gitignore excludes Playwright's generated reports and auth state 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
52
packages/test-utils/src/supabase-clients.ts
Normal file
52
packages/test-utils/src/supabase-clients.ts
Normal file
@@ -0,0 +1,52 @@
|
||||
import { createClient } from '@supabase/supabase-js';
|
||||
import { SignJWT } from 'jose';
|
||||
import type { Database } from '@colectivo/types';
|
||||
|
||||
function requiredEnv(key: string): string {
|
||||
const value = process.env[key];
|
||||
if (!value) throw new Error(`Missing required env var: ${key}`);
|
||||
return value;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sign a GoTrue-compatible JWT for a seed user using the shared SUPABASE_JWT_SECRET.
|
||||
* This lets integration tests act as any seed user without going through Keycloak.
|
||||
*/
|
||||
async function signToken(userId: string): Promise<string> {
|
||||
const secret = new TextEncoder().encode(requiredEnv('SUPABASE_JWT_SECRET'));
|
||||
return new SignJWT({ role: 'authenticated' })
|
||||
.setProtectedHeader({ alg: 'HS256' })
|
||||
.setSubject(userId)
|
||||
.setAudience('authenticated')
|
||||
.setIssuedAt()
|
||||
.setExpirationTime('1h')
|
||||
.sign(secret);
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a Supabase client that authenticates as the given seed user.
|
||||
* RLS policies see auth.uid() = userId.
|
||||
*/
|
||||
export async function createClientAs(userId: string) {
|
||||
const token = await signToken(userId);
|
||||
return createClient<Database>(
|
||||
requiredEnv('PUBLIC_SUPABASE_URL'),
|
||||
requiredEnv('PUBLIC_SUPABASE_ANON_KEY'),
|
||||
{
|
||||
global: { headers: { Authorization: `Bearer ${token}` } },
|
||||
auth: { persistSession: false, autoRefreshToken: false }
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a service-role client that bypasses RLS entirely.
|
||||
* Use only for test setup and cleanup — never in assertions.
|
||||
*/
|
||||
export function createAdminClient() {
|
||||
return createClient<Database>(
|
||||
requiredEnv('PUBLIC_SUPABASE_URL'),
|
||||
requiredEnv('SUPABASE_SERVICE_ROLE_KEY'),
|
||||
{ auth: { persistSession: false, autoRefreshToken: false } }
|
||||
);
|
||||
}
|
||||
Reference in New Issue
Block a user