Add a 4-layer test stack covering RLS, triggers, and UI flows for Fases 0–2a, then restructure every plan file so future fases start with tests and end with a verification gate. Test suite - packages/test-utils: Vitest integration tests signing HS256 JWTs via jose so each test acts as a specific seed user (createClientAs + createAdminClient) - supabase/tests: pgTAP for accept_invitation(), item_frequency trigger, and promote-on-admin-leave; each file self-installs pgtap extension - apps/web/tests: Playwright E2E with live Keycloak login per test (storageState caching doesn't rehydrate Supabase's session state reliably) - just test-all chains the three suites; test-db forwards POSTGRES_PASSWORD as PGPASSWORD with ON_ERROR_STOP=1 so failures abort the chain Supabase auth gotcha - PostgREST queries inside onAuthStateChange deadlock on GoTrue's navigator.locks auth lock (getAccessToken → getSession → initializePromise waits on the same lock that's held during event dispatch). Fix is two defenses: a pass-through lock in $lib/supabase, and a setTimeout(0) defer in root +layout.svelte to push loadUserCollectives out of the callback's microtask chain. Either alone is insufficient; both together unblock the Playwright suite. Env key rotation - apps/web/.env.development had a stale demo anon key signed with a different secret than root .env; Vite inlined that into the browser bundle so Kong (which uses the root .env value) rejected every request with 401. Aligned the two files and added a memory entry to flag this for the next rotation. Plan restructure (TDD) - Every fase now opens with X.0 Tests primero and closes with X.Z Verificación final. Completed fases (0, 1, 2a) show the pattern retroactively with the tests that currently cover them; pending fases (2b, 3, 4) list the tests to write before implementation. Docs - CLAUDE.md status line reports 54 + 12 + 15 = 81 green tests, adds gotchas #11 (auth-lock deadlock) and #12 (no storageState caching) - README.md adds a TDD methodology section and the test-all command - .gitignore excludes Playwright's generated reports and auth state 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
99 lines
3.5 KiB
TypeScript
99 lines
3.5 KiB
TypeScript
/**
|
|
* F-series: Eva has no collective membership. She must see zero rows
|
|
* and receive errors on every write attempt.
|
|
*/
|
|
import { describe, it, expect } from 'vitest';
|
|
import { createClientAs, createAdminClient } from '../src/supabase-clients.js';
|
|
import { EVA_ID, COLLECTIVE_ID, SEED_LIST_ID } from '../src/seed-constants.js';
|
|
|
|
describe('RLS isolation — non-member user (Eva)', () => {
|
|
it('F-01: cannot read any shopping lists', async () => {
|
|
const eva = await createClientAs(EVA_ID);
|
|
const { data, error } = await eva.from('shopping_lists').select('id');
|
|
expect(error).toBeNull();
|
|
expect(data).toHaveLength(0);
|
|
});
|
|
|
|
it('F-02: cannot read any shopping items', async () => {
|
|
const eva = await createClientAs(EVA_ID);
|
|
const { data, error } = await eva.from('shopping_items').select('id');
|
|
expect(error).toBeNull();
|
|
expect(data).toHaveLength(0);
|
|
});
|
|
|
|
it('F-03: cannot create a shopping list', async () => {
|
|
const eva = await createClientAs(EVA_ID);
|
|
const { data, error } = await eva
|
|
.from('shopping_lists')
|
|
.insert({ collective_id: COLLECTIVE_ID, name: 'Eva sneaky list', created_by: EVA_ID })
|
|
.select()
|
|
.single();
|
|
expect(data).toBeNull();
|
|
expect(error).not.toBeNull();
|
|
});
|
|
|
|
it('F-04: cannot add an item to the seed list', async () => {
|
|
const eva = await createClientAs(EVA_ID);
|
|
const { data, error } = await eva
|
|
.from('shopping_items')
|
|
.insert({ list_id: SEED_LIST_ID, name: 'Spy item', sort_order: 99, created_by: EVA_ID })
|
|
.select()
|
|
.single();
|
|
expect(data).toBeNull();
|
|
expect(error).not.toBeNull();
|
|
});
|
|
|
|
it('F-05: cannot read any collectives', async () => {
|
|
const eva = await createClientAs(EVA_ID);
|
|
const { data, error } = await eva.from('collectives').select('id');
|
|
expect(error).toBeNull();
|
|
expect(data).toHaveLength(0);
|
|
});
|
|
|
|
it('F-06: cannot read collective members', async () => {
|
|
const eva = await createClientAs(EVA_ID);
|
|
const { data, error } = await eva.from('collective_members').select('user_id');
|
|
expect(error).toBeNull();
|
|
expect(data).toHaveLength(0);
|
|
});
|
|
|
|
it('F-07: cannot read item_frequency suggestions', async () => {
|
|
const eva = await createClientAs(EVA_ID);
|
|
const { data, error } = await eva
|
|
.from('item_frequency')
|
|
.select('name')
|
|
.eq('collective_id', COLLECTIVE_ID);
|
|
expect(error).toBeNull();
|
|
expect(data).toHaveLength(0);
|
|
});
|
|
|
|
it('F-08: cannot create a collective on behalf of another user', async () => {
|
|
const eva = await createClientAs(EVA_ID);
|
|
// Eva creating a collective with her own user id as created_by — this IS allowed
|
|
// (any authenticated user can create a collective). But she cannot create one
|
|
// and pretend it was created by someone else.
|
|
const admin = createAdminClient();
|
|
const { data: evaCollective } = await eva
|
|
.from('collectives')
|
|
.insert({ name: 'Eva collective', emoji: '🐱', created_by: EVA_ID })
|
|
.select()
|
|
.single();
|
|
|
|
// Clean up if somehow inserted
|
|
if (evaCollective) {
|
|
await admin.from('collectives').delete().eq('id', evaCollective.id);
|
|
}
|
|
|
|
// The INSERT policy requires created_by = auth.uid(), so inserting with a
|
|
// different user ID is blocked. Inserting with her own ID is allowed.
|
|
// Here we verify that inserting with someone else's ID fails.
|
|
const { data: spoofed, error: spoofError } = await eva
|
|
.from('collectives')
|
|
.insert({ name: 'Spoof collective', emoji: '😈', created_by: 'aaaaaaaa-0000-0000-0000-000000000000' })
|
|
.select()
|
|
.single();
|
|
expect(spoofed).toBeNull();
|
|
expect(spoofError).not.toBeNull();
|
|
});
|
|
});
|