fabi/EventSnap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(e2e): Playwright suite — 134 tests across 9 spec areas + UA matrix

Browse Source 
Adds an end-to-end Playwright test suite under e2e/ that spins up an
isolated docker-compose stack (Postgres :55432, Caddy :3101, backend with
EVENTSNAP_TEST_MODE=1, SvelteKit adapter-node frontend) and exercises the
SvelteKit app against the real Rust backend.

Phase 1 — happy paths covering every documented USER_JOURNEYS.md flow:
  01-auth/      join, recover, admin login, leave event, PIN lockout
  02-upload/    gallery picker (API path), rate-limit + admin toggle
  03-feed/      like/comment SSE, filters, SSE reconnect on visibility
  04-host/      event lock API, ban/unban, promote
  05-admin/     config validation, foundational authz guards, stats
  06-export/    /export status + download stub
  __smoke/      cross-UA happy-path (runs on every UA project)

Phase 2 — adversarial + browser chaos:
  07-adversarial/  XSS payloads (6 × display name path), SQLi shapes,
                   length / encoding / RTL override / NUL byte;
                   file-upload boundaries (ELF body claimed as JPEG,
                   oversize vs max_image_size_mb, zero-byte, NUL
                   filename, path-traversal, SVG-with-script);
                   JWT alg:none, signature/payload tamper, expired
                   session, PIN brute-force (serial + parallel),
                   admin password brute-force; deep authz (cross-user
                   delete, banned user across like/comment/feed-read,
                   host→admin escalation); small-scale DDoS (20× /join,
                   10MB comment body, 10 concurrent SSE).
  08-browser-chaos/ localStorage / sessionStorage / cookie purge,
                    IndexedDB drop mid-session, offline → reconnect,
                    slow-3G, 503 flakes, 429 with no retry storm,
                    multi-tab same/different user, no-JS, hostile CSS,
                    clock skew ±1h / -2d, localStorage quota exhausted.

Phase 3 — mobile gestures (runs only on chromium-mobile / Pixel 7):
  09-mobile/    touch-target ≥44px audit, env(safe-area-inset-bottom)
                structural check, long-press (FeedListCard → ContextSheet,
                quick-tap negation, click-suppression), double-tap
                (feed card like + lightbox heart-burst, via synthetic
                pointer events to bypass the first-tap-fires-click trap),
                viewport reflow (portrait/landscape/narrow/phablet),
                plus fixme stubs documenting planned gestures (swipe
                lightbox L/R, swipe-down dismiss, pull-to-refresh,
                long-press-comment).

Cross-UA matrix (chromium-engine projects run @smoke only):
  chromium-pixel7, chromium-galaxy-s22, samsung-internet (Samsung UA
  emulation on Galaxy viewport), edge-android, plus webkit-iphone,
  chrome-ios, firefox-android, firefox-desktop — the latter four need
  libavif16 on the host (Playwright dep) but the configs are in place.

Infrastructure:
  - fixtures/test.ts central test.extend (api, db, adminToken, guest,
    host, signIn). Per-test DB truncate via the dev-only POST
    /admin/__truncate route, gated by EVENTSNAP_TEST_MODE=1.
  - helpers/sse-listener.ts, helpers/upload-client.ts (Node-side
    multipart for adversarial file-upload tests + JPEG/PNG/ELF magic
    constants), helpers/touch.ts (longPress / doubleTap / swipe /
    inlineStyle / computedStyle).
  - 10 page objects covering every route + UploadSheet/Lightbox.
  - global-setup waits for /health, logs in admin, disables every
    rate-limit and quota toggle.
  - .github/workflows/e2e.yml: PR check runs chromium-desktop + the
    smoke matrix in parallel, uploads playwright-report/ and traces on
    failure.

Findings the suite surfaces as live `[finding]` warnings (not silenced):
  1. /admin/login has no rate-limit or lockout (bcrypt cost only).
  2. PIN-attempt counter races under parallel /recover requests.
  3. Zero-byte uploads pass /api/v1/upload.
  4. SVG-with-script can pass the magic-byte check (consider CSP +
     X-Content-Type-Options on /media/*).

Stack-internal docs live in e2e/README.md (UA tier table, Samsung
Internet escalation tiers A/B/C, debugging tips, roadmap).

Final tally: 134 passed / 0 failed / 9 skipped (test.fixme stubs for
not-yet-shipped gestures and one UI-upload-flow investigation).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
2026-05-16 19:02:29 +02:00
parent 1cdab21514
commit e42d8a92a1
64 changed files with 4174 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
e2e/specs/01-auth/admin-login.spec.ts Normal file
View File

@@ -0,0 +1,45 @@
/**
* USER_JOURNEYS.md §11 — admin login. Tests the /admin/login route and
* the redirect-while-already-logged-in shortcut.
*/
import { test, expect } from '../../fixtures/test';
import { AdminLoginPage } from '../../page-objects';
import { ADMIN_PASSWORD } from '../../fixtures/api-client';
test.describe('Auth — admin login', () => {
test('correct password → /admin dashboard', async ({ page }) => {
const login = new AdminLoginPage(page);
await login.goto();
await login.login(ADMIN_PASSWORD);
await page.waitForURL('**/admin', { timeout: 10_000 });
// Admin JWT should now be in localStorage (admin uses the same key, just with role=admin in the payload)
const role = await page.evaluate(() => {
const token = localStorage.getItem('eventsnap_jwt');
if (!token) return null;
try {
return JSON.parse(atob(token.split('.')[1])).role;
} catch {
return null;
}
});
expect(role).toBe('admin');
});
test('wrong password → error, no token written', async ({ page }) => {
const login = new AdminLoginPage(page);
await login.goto();
await login.login('definitely-not-the-password');
await expect(login.errorMessage).toContainText(/falsch|forbidden|password/i);
const token = await page.evaluate(() => localStorage.getItem('eventsnap_jwt'));
expect(token).toBeNull();
});
test('already logged in as admin → auto-redirect to /admin', async ({ page, api }) => {
const adminJwt = await api.adminLogin();
await page.goto('/');
await page.evaluate((jwt) => localStorage.setItem('eventsnap_jwt', jwt), adminJwt);
await page.goto('/admin/login');
await page.waitForURL('**/admin', { timeout: 5_000 });
});
});

135
e2e/specs/01-auth/join.spec.ts Normal file
View File

@@ -0,0 +1,135 @@
/**
* USER_JOURNEYS.md §1 (First-time guest), §2 (Returning guest, same device),
* §3 (Returning guest, new device). Covers the happy path through
* /join, the PIN modal, the onboarding overlay landing, and the
* name-already-taken recovery transformation.
*/
import { test, expect } from '../../fixtures/test';
import { JoinPage } from '../../page-objects';
import { readStorage, STORAGE_KEYS, clearAllStorage } from '../../helpers/storage-helpers';
test.describe('Auth — join flow', () => {
test('happy path: name → PIN modal → feed @smoke', async ({ page }) => {
const join = new JoinPage(page);
await join.goto();
await expect(page.getByRole('heading', { name: 'Willkommen!' })).toBeVisible();
const { pin } = await join.joinAs('Alice');
expect(pin).toMatch(/^\d{4}$/);
// PIN copy button toggles to "Kopiert!" on click
await join.pinCopyButton.click();
await expect(join.pinCopyButton).toHaveText(/Kopiert/i);
await join.continueToFeed();
await expect(page).toHaveURL(/\/feed$/);
const storage = await readStorage(page);
expect(storage.jwt, 'JWT in localStorage').toMatch(/^eyJ/);
expect(storage.pin).toBe(pin);
expect(storage.userId).toMatch(/^[0-9a-f-]{36}$/);
expect(storage.displayName).toBe('Alice');
});
test('returning guest with valid JWT is redirected to /feed', async ({ page, guest, signIn }) => {
const alice = await guest('Bob');
await signIn(page, alice);
// Now visit the root — should auto-redirect to /feed.
await page.goto('/');
await page.waitForURL('**/feed', { timeout: 5_000 });
});
test('returning guest, new device: same name shows the inline recovery form', async ({ page, guest }) => {
const original = await guest('Charlie');
// Brand-new browser context (cleared storage) — landing on /join with same name
await clearAllStorage(page);
const join = new JoinPage(page);
await join.goto();
await join.fillName('Charlie');
await join.submit();
await expect(join.recoveryPinInput).toBeVisible();
await expect(page.getByText(/Charlie.*bereits vergeben/)).toBeVisible();
// Type correct PIN → land on /feed with a new JWT
await join.recoveryPinInput.fill(original.pin);
await join.recoverySubmit.click();
await page.waitForURL('**/feed');
const storage = await readStorage(page);
expect(storage.userId).toBe(original.userId);
expect(storage.pin).toBe(original.pin);
});
test('wrong PIN three times locks the account for 15 minutes', async ({ page, guest, db }) => {
const dave = await guest('Dave');
await clearAllStorage(page);
const join = new JoinPage(page);
await join.goto();
await join.fillName('Dave');
await join.submit();
await expect(join.recoveryPinInput).toBeVisible();
// Wrong PIN (real one is dave.pin)
const wrong = dave.pin === '0000' ? '1111' : '0000';
for (let i = 0; i < 3; i++) {
await join.recoveryPinInput.fill(wrong);
await join.recoverySubmit.click();
await expect(join.recoveryError).toBeVisible();
}
// Fourth attempt should hit the 429 lockout (even with the correct PIN now)
await join.recoveryPinInput.fill(dave.pin);
await join.recoverySubmit.click();
await expect(join.recoveryError).toContainText(/15 Minuten/);
// Sanity: DB row reflects the lock
// (The handler sets pin_locked_until directly — verify via API "recover" returning 429)
void db; // unused for now, documenting that db.lockUserPin exists if we want shortcut path
});
test('"Anderen Namen wählen" returns to the normal join form', async ({ page, guest }) => {
await guest('Eve');
await clearAllStorage(page);
const join = new JoinPage(page);
await join.goto();
await join.fillName('Eve');
await join.submit();
await expect(join.recoveryPinInput).toBeVisible();
await join.tryDifferentNameButton.click();
await expect(join.nameInput).toBeVisible();
await expect(join.recoveryPinInput).not.toBeVisible();
});
test('"Ich habe bereits einen Account" link routes to /recover', async ({ page }) => {
const join = new JoinPage(page);
await join.goto();
await join.linkToRecover.click();
await expect(page).toHaveURL(/\/recover$/);
});
test('JWT and PIN keys are exactly the ones auth.ts expects', async ({ page, guest, signIn }) => {
const handle = await guest('Frank');
await signIn(page, handle);
// Read raw localStorage to make sure no test accidentally uses a different key.
const raw = await page.evaluate(() => ({
jwt: localStorage.getItem('eventsnap_jwt'),
pin: localStorage.getItem('eventsnap_pin'),
userId: localStorage.getItem('eventsnap_user_id'),
displayName: localStorage.getItem('eventsnap_display_name'),
}));
expect(raw.jwt).toBe(handle.jwt);
expect(raw.pin).toBe(handle.pin);
expect(raw.userId).toBe(handle.userId);
expect(raw.displayName).toBe('Frank');
// Sanity: the keys we just checked match STORAGE_KEYS in storage-helpers.ts
expect(STORAGE_KEYS.jwt).toBe('eventsnap_jwt');
});
});

25
e2e/specs/01-auth/leave-event.spec.ts Normal file
View File

@@ -0,0 +1,25 @@
/**
* USER_JOURNEYS.md §15 — leaving an event clears auth and routes to /join.
* The journey doc spells out: clears JWT and PIN, calls DELETE /session.
*/
import { test, expect } from '../../fixtures/test';
import { AccountPage } from '../../page-objects';
import { readStorage } from '../../helpers/storage-helpers';
test.describe('Auth — leave event', () => {
test('leave event clears localStorage and redirects to /join', async ({ page, guest, signIn }) => {
const h = await guest('Jens');
await signIn(page, h);
const account = new AccountPage(page);
await account.goto();
await account.leaveEvent();
await expect(page).toHaveURL(/\/join$/);
const storage = await readStorage(page);
expect(storage.jwt, 'JWT should be cleared').toBeNull();
// PIN is intentionally retained per auth.ts so the user can recover.
expect(storage.userId).toBeNull();
});
});

49
e2e/specs/01-auth/recovery.spec.ts Normal file
View File

@@ -0,0 +1,49 @@
/**
* USER_JOURNEYS.md §3 (recovery on a new device). Uses the standalone
* /recover route as well as the inline-recovery flow on /join.
*/
import { test, expect } from '../../fixtures/test';
import { RecoverPage } from '../../page-objects';
import { clearAllStorage } from '../../helpers/storage-helpers';
test.describe('Auth — /recover route', () => {
test('happy path: correct name + PIN → /feed', async ({ page, guest }) => {
const handle = await guest('Greta');
await clearAllStorage(page);
const recover = new RecoverPage(page);
await recover.goto();
await recover.recover('Greta', handle.pin);
await page.waitForURL('**/feed');
});
test('wrong PIN shows the localized error', async ({ page, guest }) => {
const handle = await guest('Hans');
await clearAllStorage(page);
const recover = new RecoverPage(page);
await recover.goto();
await recover.recover('Hans', handle.pin === '9999' ? '0000' : '9999');
await expect(recover.errorMessage).toContainText(/PIN ist falsch|falsch/i);
});
test('non-existent name returns the "not found" error', async ({ page }) => {
await clearAllStorage(page);
const recover = new RecoverPage(page);
await recover.goto();
await recover.recover('Doesnt-Exist-' + Date.now(), '1234');
await expect(recover.errorMessage).toContainText(/nicht gefunden|kein/i);
});
test('lockout expires and counter resets (per recover handler)', async ({ api, guest, db }) => {
const handle = await guest('Ida');
await db.lockUserPin(handle.userId, 15);
// Direct API call: even the correct PIN must fail while locked.
await api.recover('Ida', handle.pin, { expectedStatus: [429] });
// Now move the lockout into the past.
await db.lockUserPin(handle.userId, -1);
// Correct PIN must succeed, AND the counter must be reset so the next wrong attempt isn't immediately re-locked.
const { body } = await api.recover('Ida', handle.pin, { expectedStatus: [200] });
expect(body.jwt).toBeTruthy();
});
});