fabi/EventSnap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(e2e): Playwright suite — 134 tests across 9 spec areas + UA matrix

Browse Source 
Adds an end-to-end Playwright test suite under e2e/ that spins up an
isolated docker-compose stack (Postgres :55432, Caddy :3101, backend with
EVENTSNAP_TEST_MODE=1, SvelteKit adapter-node frontend) and exercises the
SvelteKit app against the real Rust backend.

Phase 1 — happy paths covering every documented USER_JOURNEYS.md flow:
  01-auth/      join, recover, admin login, leave event, PIN lockout
  02-upload/    gallery picker (API path), rate-limit + admin toggle
  03-feed/      like/comment SSE, filters, SSE reconnect on visibility
  04-host/      event lock API, ban/unban, promote
  05-admin/     config validation, foundational authz guards, stats
  06-export/    /export status + download stub
  __smoke/      cross-UA happy-path (runs on every UA project)

Phase 2 — adversarial + browser chaos:
  07-adversarial/  XSS payloads (6 × display name path), SQLi shapes,
                   length / encoding / RTL override / NUL byte;
                   file-upload boundaries (ELF body claimed as JPEG,
                   oversize vs max_image_size_mb, zero-byte, NUL
                   filename, path-traversal, SVG-with-script);
                   JWT alg:none, signature/payload tamper, expired
                   session, PIN brute-force (serial + parallel),
                   admin password brute-force; deep authz (cross-user
                   delete, banned user across like/comment/feed-read,
                   host→admin escalation); small-scale DDoS (20× /join,
                   10MB comment body, 10 concurrent SSE).
  08-browser-chaos/ localStorage / sessionStorage / cookie purge,
                    IndexedDB drop mid-session, offline → reconnect,
                    slow-3G, 503 flakes, 429 with no retry storm,
                    multi-tab same/different user, no-JS, hostile CSS,
                    clock skew ±1h / -2d, localStorage quota exhausted.

Phase 3 — mobile gestures (runs only on chromium-mobile / Pixel 7):
  09-mobile/    touch-target ≥44px audit, env(safe-area-inset-bottom)
                structural check, long-press (FeedListCard → ContextSheet,
                quick-tap negation, click-suppression), double-tap
                (feed card like + lightbox heart-burst, via synthetic
                pointer events to bypass the first-tap-fires-click trap),
                viewport reflow (portrait/landscape/narrow/phablet),
                plus fixme stubs documenting planned gestures (swipe
                lightbox L/R, swipe-down dismiss, pull-to-refresh,
                long-press-comment).

Cross-UA matrix (chromium-engine projects run @smoke only):
  chromium-pixel7, chromium-galaxy-s22, samsung-internet (Samsung UA
  emulation on Galaxy viewport), edge-android, plus webkit-iphone,
  chrome-ios, firefox-android, firefox-desktop — the latter four need
  libavif16 on the host (Playwright dep) but the configs are in place.

Infrastructure:
  - fixtures/test.ts central test.extend (api, db, adminToken, guest,
    host, signIn). Per-test DB truncate via the dev-only POST
    /admin/__truncate route, gated by EVENTSNAP_TEST_MODE=1.
  - helpers/sse-listener.ts, helpers/upload-client.ts (Node-side
    multipart for adversarial file-upload tests + JPEG/PNG/ELF magic
    constants), helpers/touch.ts (longPress / doubleTap / swipe /
    inlineStyle / computedStyle).
  - 10 page objects covering every route + UploadSheet/Lightbox.
  - global-setup waits for /health, logs in admin, disables every
    rate-limit and quota toggle.
  - .github/workflows/e2e.yml: PR check runs chromium-desktop + the
    smoke matrix in parallel, uploads playwright-report/ and traces on
    failure.

Findings the suite surfaces as live `[finding]` warnings (not silenced):
  1. /admin/login has no rate-limit or lockout (bcrypt cost only).
  2. PIN-attempt counter races under parallel /recover requests.
  3. Zero-byte uploads pass /api/v1/upload.
  4. SVG-with-script can pass the magic-byte check (consider CSP +
     X-Content-Type-Options on /media/*).

Stack-internal docs live in e2e/README.md (UA tier table, Samsung
Internet escalation tiers A/B/C, debugging tips, roadmap).

Final tally: 134 passed / 0 failed / 9 skipped (test.fixme stubs for
not-yet-shipped gestures and one UI-upload-flow investigation).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
2026-05-16 19:02:29 +02:00
parent 1cdab21514
commit e42d8a92a1
64 changed files with 4174 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

152
e2e/fixtures/api-client.ts Normal file
View File

@@ -0,0 +1,152 @@
/**
* Tiny typed wrapper around the EventSnap REST API for use inside tests.
* Used to seed data far faster than driving the UI through every join /
* upload, and to set up adversarial states (banned users, locked PINs) that
* the UI cannot reach.
*
* Auth: pass `token` on individual calls; no global state.
*/
export const ADMIN_PASSWORD = 'admin-test-pw';
export class ApiClient {
constructor(private baseUrl: string = process.env.E2E_FRONTEND_URL ?? 'http://localhost:3101') {}
private async request<T>(
method: string,
path: string,
opts: { token?: string; body?: unknown; expectedStatus?: number | number[] } = {}
): Promise<{ status: number; body: T }> {
const headers: Record<string, string> = {};
if (opts.token) headers['Authorization'] = `Bearer ${opts.token}`;
if (opts.body !== undefined) headers['Content-Type'] = 'application/json';
const res = await fetch(`${this.baseUrl}/api/v1${path}`, {
method,
headers,
body: opts.body !== undefined ? JSON.stringify(opts.body) : undefined,
});
const expected = opts.expectedStatus ?? [200, 201, 204];
const allowed = Array.isArray(expected) ? expected : [expected];
let body: unknown = undefined;
if (res.status !== 204) {
const text = await res.text();
try {
body = text.length > 0 ? JSON.parse(text) : undefined;
} catch {
body = text;
}
}
if (!allowed.includes(res.status)) {
throw new Error(
`API ${method} ${path}${res.status} (expected ${allowed.join('/')}). Body: ${JSON.stringify(body)}`
);
}
return { status: res.status, body: body as T };
}
// ── Auth ───────────────────────────────────────────────────────────────
async join(displayName: string): Promise<{ jwt: string; pin: string; user_id: string; is_new: boolean }> {
const { body } = await this.request<any>('POST', '/join', {
body: { display_name: displayName },
expectedStatus: [201],
});
return body;
}
async recover(displayName: string, pin: string, opts: { expectedStatus?: number | number[] } = {}) {
return this.request<any>('POST', '/recover', {
body: { display_name: displayName, pin },
expectedStatus: opts.expectedStatus ?? [200],
});
}
async adminLogin(password: string = ADMIN_PASSWORD): Promise<string> {
const { body } = await this.request<{ jwt: string }>('POST', '/admin/login', {
body: { password },
});
return body.jwt;
}
async logout(token: string) {
return this.request<void>('DELETE', '/session', { token, expectedStatus: [204] });
}
// ── Test-mode helpers ──────────────────────────────────────────────────
async truncate(adminToken: string) {
return this.request<void>('POST', '/admin/__truncate', {
token: adminToken,
expectedStatus: [204],
});
}
// ── Config ─────────────────────────────────────────────────────────────
async patchConfig(adminToken: string, patch: Record<string, string>) {
return this.request<void>('PATCH', '/admin/config', {
token: adminToken,
body: patch,
expectedStatus: [204],
});
}
async getConfig(adminToken: string): Promise<Record<string, string>> {
const { body } = await this.request<Record<string, string>>('GET', '/admin/config', { token: adminToken });
return body;
}
// ── Host moderation ────────────────────────────────────────────────────
async listUsers(token: string) {
const { body } = await this.request<any[]>('GET', '/host/users', { token });
return body;
}
async setRole(token: string, userId: string, role: 'guest' | 'host') {
return this.request<void>('PATCH', `/host/users/${userId}/role`, {
token,
body: { role },
expectedStatus: [200, 204],
});
}
async banUser(token: string, userId: string, hideUploads = false) {
return this.request<void>('POST', `/host/users/${userId}/ban`, {
token,
body: { hide_uploads: hideUploads },
expectedStatus: [200, 204],
});
}
async closeEvent(token: string) {
return this.request<void>('POST', '/host/event/close', { token, expectedStatus: [200, 204] });
}
async openEvent(token: string) {
return this.request<void>('POST', '/host/event/open', { token, expectedStatus: [200, 204] });
}
// ── Feed ───────────────────────────────────────────────────────────────
async getFeed(token: string) {
const { body } = await this.request<any>('GET', '/feed', { token });
return body;
}
async getStats(adminToken: string) {
const { body } = await this.request<any>('GET', '/admin/stats', { token: adminToken });
return body;
}
// ── Health ─────────────────────────────────────────────────────────────
async waitForHealth(retries = 60): Promise<void> {
for (let i = 0; i < retries; i++) {
try {
const res = await fetch(`${this.baseUrl}/health`);
if (res.ok) return;
} catch {
/* keep retrying */
}
await new Promise((r) => setTimeout(r, 1000));
}
throw new Error(`Backend never became healthy at ${this.baseUrl}/health`);
}
}

84
e2e/fixtures/db.ts Normal file
View File

@@ -0,0 +1,84 @@
/**
* Direct PostgreSQL escape hatch for setting up states the public API doesn't
* expose — e.g. forcing a user into the locked-PIN state to assert the 429
* recovery path, or expiring sessions for chaos tests.
*
* Most tests should NOT use this: prefer `ApiClient` so the tests exercise
* the same code paths real users do. Reach for direct SQL only when the API
* can't get you where you need to go.
*/
import { Client } from 'pg';
const CONN = {
host: process.env.E2E_DB_HOST ?? 'localhost',
port: Number(process.env.E2E_DB_PORT ?? '55432'),
user: process.env.E2E_DB_USER ?? 'eventsnap_test',
password: process.env.E2E_DB_PASSWORD ?? 'eventsnap_test',
database: process.env.E2E_DB_NAME ?? 'eventsnap_test',
};
async function withClient<T>(fn: (c: Client) => Promise<T>): Promise<T> {
const client = new Client(CONN);
await client.connect();
try {
return await fn(client);
} finally {
await client.end();
}
}
export const db = {
async lockUserPin(userId: string, minutesFromNow = 15) {
await withClient((c) =>
c.query(
`UPDATE "user" SET pin_locked_until = NOW() + ($2 || ' minutes')::interval, failed_pin_attempts = 3 WHERE id = $1`,
[userId, String(minutesFromNow)]
)
);
},
async expireSession(userId: string) {
await withClient((c) =>
c.query(`UPDATE session SET expires_at = NOW() - interval '1 hour' WHERE user_id = $1`, [userId])
);
},
async setUploadCompressionStatus(uploadId: string, status: 'pending' | 'processing' | 'done' | 'failed') {
await withClient((c) =>
c.query(`UPDATE upload SET compression_status = $2 WHERE id = $1`, [uploadId, status])
);
},
async countUploadsForUser(userId: string): Promise<number> {
return withClient(async (c) => {
const r = await c.query<{ count: string }>(
`SELECT COUNT(*)::text AS count FROM upload WHERE user_id = $1 AND deleted_at IS NULL`,
[userId]
);
return Number(r.rows[0].count);
});
},
async setExportReleased(slug: string, released: boolean) {
await withClient((c) =>
c.query(`UPDATE event SET export_released_at = $2 WHERE slug = $1`, [
slug,
released ? new Date() : null,
])
);
},
/** Insert a pre-baked export job row to skip the (slow) real compression path. */
async fakeExportJob(eventSlug: string, type: 'zip' | 'html', status: 'pending' | 'running' | 'done') {
await withClient(async (c) => {
const ev = await c.query<{ id: string }>(`SELECT id FROM event WHERE slug = $1`, [eventSlug]);
if (ev.rows.length === 0) throw new Error(`No event with slug ${eventSlug}`);
await c.query(
`INSERT INTO export_job (event_id, type, status, progress_pct, completed_at)
VALUES ($1, $2::export_type, $3::export_status, $4, $5)
ON CONFLICT (event_id, type) DO UPDATE SET status = EXCLUDED.status, progress_pct = EXCLUDED.progress_pct`,
[ev.rows[0].id, type, status, status === 'done' ? 100 : 0, status === 'done' ? new Date() : null]
);
});
},
};

103
e2e/fixtures/test.ts Normal file
View File

@@ -0,0 +1,103 @@
/**
* Central `test.extend` for EventSnap E2E tests. Specs import `test` from here
* (not `@playwright/test` directly) so they get the shared fixtures: API
* client, DB helper, fresh admin token, and convenience factories.
*
* Every test runs against a freshly truncated database (via the `truncate`
* auto-fixture). Because truncate wipes the `session` table, any admin JWT
* obtained before truncate becomes invalid afterwards — so the
* `truncate` fixture always does its own admin login, and the `adminToken`
* fixture re-logs-in per test instead of caching. bcrypt cost 4 → ~10 ms,
* negligible against the ~1 s per-test setup overhead.
*/
import { test as base, expect, type Page } from '@playwright/test';
import { ApiClient } from './api-client';
import { db } from './db';
type GuestHandle = {
jwt: string;
pin: string;
userId: string;
displayName: string;
};
type Fixtures = {
api: ApiClient;
db: typeof db;
adminToken: string;
truncate: void;
guest: (displayName?: string) => Promise<GuestHandle>;
host: GuestHandle;
/** Apply an existing guest's JWT + PIN to the page's localStorage and reload. */
signIn: (page: Page, handle: GuestHandle) => Promise<void>;
};
export const test = base.extend<Fixtures>({
api: async ({}, use) => {
await use(new ApiClient());
},
db: async ({}, use) => {
await use(db);
},
// Auto-fixture: runs before every test, truncates the DB so each test starts
// clean. Acquires its OWN admin token because the previous test's truncate
// wiped the session row that backs any cached token.
truncate: [
async ({ api }, use) => {
const token = await api.adminLogin();
await api.truncate(token);
await use();
},
{ auto: true, scope: 'test' },
],
// Fresh admin login per test that asks for it. Comes AFTER the truncate
// auto-fixture has run (truncate doesn't depend on adminToken, so the
// dependency-free truncate runs first; this fixture then logs in on a
// freshly reset DB).
adminToken: async ({ api }, use) => {
const token = await api.adminLogin();
await use(token);
},
guest: async ({ api }, use) => {
let counter = 0;
const factory = async (displayName?: string): Promise<GuestHandle> => {
const name = displayName ?? `Gast${++counter}_${Math.random().toString(36).slice(2, 6)}`;
const res = await api.join(name);
return { jwt: res.jwt, pin: res.pin, userId: res.user_id, displayName: name };
};
await use(factory);
},
host: async ({ api, guest, adminToken }, use) => {
const h = await guest('TestHost');
await api.setRole(adminToken, h.userId, 'host');
// Role is encoded in the JWT — re-recover to get a fresh token with role=host.
const { body } = await api.recover(h.displayName, h.pin);
await use({ ...h, jwt: body.jwt });
},
signIn: async ({}, use) => {
const fn = async (page: Page, handle: GuestHandle) => {
// Visit any in-app URL first so localStorage is scoped to the right origin.
await page.goto('/');
await page.evaluate(
({ jwt, pin, userId, displayName }) => {
localStorage.setItem('eventsnap_jwt', jwt);
localStorage.setItem('eventsnap_pin', pin);
localStorage.setItem('eventsnap_user_id', userId);
localStorage.setItem('eventsnap_display_name', displayName);
localStorage.setItem('eventsnap_guide_seen', 'true');
},
handle
);
await page.goto('/feed');
};
await use(fn);
},
});
export { expect };