fabi/EventSnap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(e2e): Playwright suite — 134 tests across 9 spec areas + UA matrix

Browse Source 
Adds an end-to-end Playwright test suite under e2e/ that spins up an
isolated docker-compose stack (Postgres :55432, Caddy :3101, backend with
EVENTSNAP_TEST_MODE=1, SvelteKit adapter-node frontend) and exercises the
SvelteKit app against the real Rust backend.

Phase 1 — happy paths covering every documented USER_JOURNEYS.md flow:
  01-auth/      join, recover, admin login, leave event, PIN lockout
  02-upload/    gallery picker (API path), rate-limit + admin toggle
  03-feed/      like/comment SSE, filters, SSE reconnect on visibility
  04-host/      event lock API, ban/unban, promote
  05-admin/     config validation, foundational authz guards, stats
  06-export/    /export status + download stub
  __smoke/      cross-UA happy-path (runs on every UA project)

Phase 2 — adversarial + browser chaos:
  07-adversarial/  XSS payloads (6 × display name path), SQLi shapes,
                   length / encoding / RTL override / NUL byte;
                   file-upload boundaries (ELF body claimed as JPEG,
                   oversize vs max_image_size_mb, zero-byte, NUL
                   filename, path-traversal, SVG-with-script);
                   JWT alg:none, signature/payload tamper, expired
                   session, PIN brute-force (serial + parallel),
                   admin password brute-force; deep authz (cross-user
                   delete, banned user across like/comment/feed-read,
                   host→admin escalation); small-scale DDoS (20× /join,
                   10MB comment body, 10 concurrent SSE).
  08-browser-chaos/ localStorage / sessionStorage / cookie purge,
                    IndexedDB drop mid-session, offline → reconnect,
                    slow-3G, 503 flakes, 429 with no retry storm,
                    multi-tab same/different user, no-JS, hostile CSS,
                    clock skew ±1h / -2d, localStorage quota exhausted.

Phase 3 — mobile gestures (runs only on chromium-mobile / Pixel 7):
  09-mobile/    touch-target ≥44px audit, env(safe-area-inset-bottom)
                structural check, long-press (FeedListCard → ContextSheet,
                quick-tap negation, click-suppression), double-tap
                (feed card like + lightbox heart-burst, via synthetic
                pointer events to bypass the first-tap-fires-click trap),
                viewport reflow (portrait/landscape/narrow/phablet),
                plus fixme stubs documenting planned gestures (swipe
                lightbox L/R, swipe-down dismiss, pull-to-refresh,
                long-press-comment).

Cross-UA matrix (chromium-engine projects run @smoke only):
  chromium-pixel7, chromium-galaxy-s22, samsung-internet (Samsung UA
  emulation on Galaxy viewport), edge-android, plus webkit-iphone,
  chrome-ios, firefox-android, firefox-desktop — the latter four need
  libavif16 on the host (Playwright dep) but the configs are in place.

Infrastructure:
  - fixtures/test.ts central test.extend (api, db, adminToken, guest,
    host, signIn). Per-test DB truncate via the dev-only POST
    /admin/__truncate route, gated by EVENTSNAP_TEST_MODE=1.
  - helpers/sse-listener.ts, helpers/upload-client.ts (Node-side
    multipart for adversarial file-upload tests + JPEG/PNG/ELF magic
    constants), helpers/touch.ts (longPress / doubleTap / swipe /
    inlineStyle / computedStyle).
  - 10 page objects covering every route + UploadSheet/Lightbox.
  - global-setup waits for /health, logs in admin, disables every
    rate-limit and quota toggle.
  - .github/workflows/e2e.yml: PR check runs chromium-desktop + the
    smoke matrix in parallel, uploads playwright-report/ and traces on
    failure.

Findings the suite surfaces as live `[finding]` warnings (not silenced):
  1. /admin/login has no rate-limit or lockout (bcrypt cost only).
  2. PIN-attempt counter races under parallel /recover requests.
  3. Zero-byte uploads pass /api/v1/upload.
  4. SVG-with-script can pass the magic-byte check (consider CSP +
     X-Content-Type-Options on /media/*).

Stack-internal docs live in e2e/README.md (UA tier table, Samsung
Internet escalation tiers A/B/C, debugging tips, roadmap).

Final tally: 134 passed / 0 failed / 9 skipped (test.fixme stubs for
not-yet-shipped gestures and one UI-upload-flow investigation).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
2026-05-16 19:02:29 +02:00
parent 1cdab21514
commit e42d8a92a1
64 changed files with 4174 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
e2e/specs/08-browser-chaos/environment.spec.ts Normal file
View File

@@ -0,0 +1,93 @@
/**
* Phase 2 browser chaos — odd browser environments. JS disabled,
* clock skew, localStorage quota exhaustion, hostile extensions.
*/
import { test, expect } from '../../fixtures/test';
test.describe('Browser chaos — environment', () => {
test('JavaScript disabled — app surfaces SOMETHING (not white screen)', async ({ browser }) => {
const ctx = await browser.newContext({ javaScriptEnabled: false });
const page = await ctx.newPage();
const res = await page.goto('http://localhost:3101/join');
// SvelteKit's adapter-node SSR should at least return the basic HTML shell.
expect(res?.status()).toBeLessThan(500);
const html = await page.content();
expect(html.length).toBeGreaterThan(200);
await ctx.close();
});
test('localStorage quota exhausted — writing JWT does not crash the app', async ({ page, guest, signIn }) => {
const g = await guest('QuotaFull');
// Pre-fill localStorage with junk to push us near the quota.
await page.goto('http://localhost:3101/');
await page.evaluate(() => {
try {
const big = 'x'.repeat(1024 * 1024); // 1 MiB chunks
for (let i = 0; i < 5; i++) localStorage.setItem(`__junk_${i}`, big);
} catch {
/* hit the quota — fine */
}
});
// Now sign in — even if the storage write throws, the app must handle it.
const errors: Error[] = [];
page.on('pageerror', (e) => errors.push(e));
await signIn(page, g).catch(() => {
/* signIn relies on writing to localStorage; failure here is the assertion */
});
// Cleanup so other tests aren't affected.
await page.evaluate(() => {
for (let i = 0; i < 5; i++) localStorage.removeItem(`__junk_${i}`);
});
// Unhandled errors are the failure mode we care about.
expect(errors.filter((e) => !/storage|quota/i.test(e.message))).toHaveLength(0);
});
test('hostile extension simulation: CSS hiding bottom nav does not break navigation', async ({ page, guest, signIn }) => {
const g = await guest('HostileCss');
await signIn(page, g);
await page.goto('/feed');
// Inject CSS that hides the entire bottom nav (like an aggressive content blocker would).
await page.addStyleTag({ content: 'nav { display: none !important; }' });
// The link is still in the DOM and reachable by URL even if visually hidden.
await page.goto('/account');
await expect(page).toHaveURL(/\/account$/);
});
test('clock skew: browser ahead by 1 hour — JWT still valid (no nbf claim)', async ({ page, guest, signIn }) => {
const g = await guest('ClockSkew');
// Override Date.now() to be 1h in the future BEFORE the JWT check.
await page.addInitScript(() => {
const real = Date.now;
const offset = 3600 * 1000;
Date.now = () => real() + offset;
});
await signIn(page, g);
await page.goto('/feed');
await expect(page.getByRole('link', { name: 'Galerie' })).toBeVisible();
});
test('clock skew: browser behind by 2 days — JWT exp may be in the past, app handles 401', async ({ page, guest, signIn }) => {
const g = await guest('ClockBack');
await page.addInitScript(() => {
const real = Date.now;
const offset = 2 * 86400 * 1000;
Date.now = () => real() - offset;
});
// Client-side `getExpiry()` in auth.ts may think the token is expired and clear it.
// Either way, the app must not crash.
await signIn(page, g).catch(() => {});
await page.goto('/');
const url = new URL(page.url());
expect(['/join', '/feed', '/'].includes(url.pathname) || url.pathname === '/').toBe(true);
});
});

42
e2e/specs/08-browser-chaos/indexeddb.spec.ts Normal file
View File

@@ -0,0 +1,42 @@
/**
* Phase 2 browser chaos — IndexedDB scenarios. The upload queue
* (frontend/src/lib/upload-queue.ts) persists pending uploads in
* IndexedDB. Tests assert that purging or partially purging this DB
* leaves the app in a recoverable state.
*/
import { test, expect } from '../../fixtures/test';
test.describe('Browser chaos — IndexedDB', () => {
test('IndexedDB cleared mid-session does not break navigation', async ({ page, guest, signIn }) => {
const g = await guest('IdbPurge');
await signIn(page, g);
await page.goto('/feed');
await page.evaluate(async () => {
// Drop every IndexedDB database the app might use.
const dbs = (await (indexedDB as any).databases?.()) ?? [];
await Promise.all(
dbs.map(({ name }: { name: string }) =>
new Promise<void>((resolve) => {
const req = indexedDB.deleteDatabase(name);
req.onsuccess = req.onerror = req.onblocked = () => resolve();
})
)
);
});
await page.reload();
await expect(page.getByRole('link', { name: 'Galerie' })).toBeVisible();
});
test('feed renders even if IndexedDB API is undefined', async ({ page, guest, signIn }) => {
const g = await guest('IdbMissing');
// Stub IndexedDB to undefined before navigation so the app loads without it.
await page.addInitScript(() => {
Object.defineProperty(window, 'indexedDB', { value: undefined, configurable: true });
});
await signIn(page, g);
await page.goto('/feed');
await expect(page.getByRole('link', { name: 'Galerie' })).toBeVisible();
});
});

89
e2e/specs/08-browser-chaos/multi-tab.spec.ts Normal file
View File

@@ -0,0 +1,89 @@
/**
* Phase 2 browser chaos — multi-tab and cross-user isolation in the same
* browser process.
*/
import { test, expect } from '../../fixtures/test';
test.describe('Browser chaos — multi-tab', () => {
test('same user in two tabs — SSE delivers to both', async ({ page, context, guest, signIn }) => {
const g = await guest('Twin');
await signIn(page, g);
await page.goto('/feed');
const tab2 = await context.newPage();
await signIn(tab2, g);
await tab2.goto('/feed');
// Both tabs should mount the bottom nav.
await expect(page.getByRole('link', { name: 'Galerie' })).toBeVisible();
await expect(tab2.getByRole('link', { name: 'Galerie' })).toBeVisible();
await tab2.close();
});
test('two different users in separate browser contexts have isolated localStorage', async ({ browser, guest }) => {
const a = await guest('IsoA');
const b = await guest('IsoB');
const ctxA = await browser.newContext();
const ctxB = await browser.newContext();
const pageA = await ctxA.newPage();
const pageB = await ctxB.newPage();
await pageA.goto('http://localhost:3101/');
await pageA.evaluate(({ jwt, pin, userId, name }) => {
localStorage.setItem('eventsnap_jwt', jwt);
localStorage.setItem('eventsnap_pin', pin);
localStorage.setItem('eventsnap_user_id', userId);
localStorage.setItem('eventsnap_display_name', name);
}, { jwt: a.jwt, pin: a.pin, userId: a.userId, name: a.displayName });
await pageB.goto('http://localhost:3101/');
await pageB.evaluate(({ jwt, pin, userId, name }) => {
localStorage.setItem('eventsnap_jwt', jwt);
localStorage.setItem('eventsnap_pin', pin);
localStorage.setItem('eventsnap_user_id', userId);
localStorage.setItem('eventsnap_display_name', name);
}, { jwt: b.jwt, pin: b.pin, userId: b.userId, name: b.displayName });
// Each context sees only its own user.
const aUid = await pageA.evaluate(() => localStorage.getItem('eventsnap_user_id'));
const bUid = await pageB.evaluate(() => localStorage.getItem('eventsnap_user_id'));
expect(aUid).toBe(a.userId);
expect(bUid).toBe(b.userId);
expect(aUid).not.toBe(bUid);
await ctxA.close();
await ctxB.close();
});
test('localStorage is shared across tabs of the same context (real browser behavior)', async ({ context, guest, signIn }) => {
// Real browsers share localStorage across tabs of the same origin. Tab A's
// removeItem is instantly visible in tab B's localStorage. The UX gap to
// document is that tab B's React/Svelte state isn't *re-rendered* until the
// next API call or storage-event subscription — which the app doesn't
// currently listen for.
const g = await guest('LogoutSync');
const pageA = await context.newPage();
const pageB = await context.newPage();
await signIn(pageA, g);
await signIn(pageB, g);
await pageA.evaluate(() => {
localStorage.removeItem('eventsnap_jwt');
localStorage.removeItem('eventsnap_user_id');
});
// Both tabs' localStorage should now show the JWT removed (shared origin).
const aGone = await pageA.evaluate(() => !localStorage.getItem('eventsnap_jwt'));
const bGone = await pageB.evaluate(() => !localStorage.getItem('eventsnap_jwt'));
expect(aGone).toBe(true);
expect(bGone).toBe(true);
// Tab B's URL: either stayed on /feed (no storage event listener) or has
// already routed to /join (a route-guard reactive subscription noticed).
// Both are valid; assert it's one or the other rather than coupling to
// either specific behavior.
expect(['/feed', '/join'].some((p) => pageB.url().includes(p))).toBe(true);
});
});

80
e2e/specs/08-browser-chaos/offline-network.spec.ts Normal file
View File

@@ -0,0 +1,80 @@
/**
* Phase 2 browser chaos — going offline, coming back, and throttled
* connections. The app's upload queue is expected to "park" pending
* items on offline and resume on reconnect.
*/
import { test, expect } from '../../fixtures/test';
test.describe('Browser chaos — network', () => {
test('offline → reconnect — page does not crash and bottom nav is responsive', async ({ page, guest, signIn }) => {
const g = await guest('Offline1');
await signIn(page, g);
await page.goto('/feed');
const errors: Error[] = [];
page.on('pageerror', (e) => errors.push(e));
await page.context().setOffline(true);
// Tap the bottom nav — should not raise unhandled errors.
await page.getByRole('link', { name: 'Konto' }).click().catch(() => {});
await page.waitForTimeout(500);
await page.context().setOffline(false);
// App still functional after coming back.
await page.goto('/feed');
await expect(page.getByRole('link', { name: 'Galerie' })).toBeVisible();
expect(errors.filter((e) => !e.message.toLowerCase().includes('fetch'))).toHaveLength(0);
});
test('slow 3G simulation — initial nav completes within reasonable bound', async ({ page, guest, signIn }) => {
const g = await guest('Slow3g');
// 50ms latency on every request, applied to /api/* only so navigation isn't catastrophic.
await page.route('**/api/v1/**', async (route) => {
await new Promise((r) => setTimeout(r, 50));
await route.continue();
});
await signIn(page, g);
await page.goto('/feed');
await expect(page.getByRole('link', { name: 'Galerie' })).toBeVisible({ timeout: 15_000 });
});
test('intermittent API failures during navigation — UI surfaces an error state', async ({ page, guest, signIn }) => {
const g = await guest('FlakyApi');
let count = 0;
await page.route('**/api/v1/me/context', async (route) => {
count++;
if (count % 2 === 1) await route.fulfill({ status: 503, body: 'service unavailable' });
else await route.continue();
});
await signIn(page, g);
await page.goto('/feed');
// App should still mount even when /me/context bounces — it's not on the critical render path.
await expect(page.getByRole('link', { name: 'Galerie' })).toBeVisible({ timeout: 10_000 });
});
test('429 from server is surfaced (no infinite retry storm)', async ({ page, guest, signIn }) => {
const g = await guest('Throttled');
let attempts = 0;
await page.route('**/api/v1/feed', async (route) => {
attempts++;
await route.fulfill({
status: 429,
headers: { 'retry-after': '60' },
body: JSON.stringify({ error: 'rate_limited', message: 'Zu viele Anfragen.' }),
});
});
await signIn(page, g);
await page.goto('/feed');
await page.waitForTimeout(3_000);
// Sanity: client did not hammer the endpoint > a few times under throttle.
expect(attempts).toBeLessThan(15);
});
});

92
e2e/specs/08-browser-chaos/storage-purge.spec.ts Normal file
View File

@@ -0,0 +1,92 @@
/**
* Phase 2 browser chaos — what happens when the browser drops state mid-session?
*
* Real users: Safari ITP, "Clear browsing data", incognito mode expiring,
* extensions that wipe storage on tab close. The app must NEVER white-screen
* or expose other users' data when its own state vanishes.
*/
import { test, expect } from '../../fixtures/test';
import { readStorage, clearLocalStorage, clearAllStorage } from '../../helpers/storage-helpers';
test.describe('Browser chaos — storage purge', () => {
test('localStorage.clear() mid-session → next nav goes to /join, no crash', async ({ page, guest, signIn }) => {
const g = await guest('Purge1');
await signIn(page, g);
await page.goto('/feed');
await expect(page.getByRole('link', { name: 'Galerie' })).toBeVisible();
// Listen for any unhandled page errors so a crash is visible.
const errors: Error[] = [];
page.on('pageerror', (e) => errors.push(e));
await clearLocalStorage(page);
await page.goto('/feed');
// The app may redirect to /join, render an empty feed with a "sign in" prompt, or
// surface the join screen inline. Any of these is fine — the assertion is "no crash".
expect(errors.filter((e) => !e.message.includes('AbortError'))).toHaveLength(0);
// Eventually the user lands somewhere they can recover from.
const url = new URL(page.url());
expect(['/join', '/feed', '/recover', '/']).toContain(url.pathname);
});
test('cookies cleared mid-session — JWT in localStorage still works (no cookie dependency)', async ({ page, guest, signIn }) => {
const g = await guest('Purge2');
await signIn(page, g);
await page.goto('/feed');
await page.context().clearCookies();
// The api.ts client reads from localStorage, not cookies, so a /me/context call should still work.
const stillAuthed = await page.evaluate(async () => {
const res = await fetch('/api/v1/me/context', {
headers: { Authorization: `Bearer ${localStorage.getItem('eventsnap_jwt')}` },
});
return res.status;
});
expect(stillAuthed).toBe(200);
});
test('sessionStorage cleared has no effect on auth (auth lives in localStorage)', async ({ page, guest, signIn }) => {
const g = await guest('Purge3');
await signIn(page, g);
await page.goto('/feed');
await page.evaluate(() => sessionStorage.clear());
await page.reload();
const storage = await readStorage(page);
expect(storage.jwt).toBeTruthy(); // localStorage survived
await expect(page.getByRole('link', { name: 'Galerie' })).toBeVisible();
});
test('clearAllStorage on /admin forces re-login', async ({ page, api }) => {
const adminJwt = await api.adminLogin();
await page.goto('/');
await page.evaluate((j) => localStorage.setItem('eventsnap_jwt', j), adminJwt);
await page.goto('/admin');
await clearAllStorage(page);
await page.goto('/admin');
// The admin layout should bounce them to /admin/login when the JWT is gone.
await page.waitForURL(/admin\/login|join/, { timeout: 5_000 });
});
test('PIN survives clearAuth (intentional per auth.ts comment)', async ({ page, guest, signIn }) => {
const g = await guest('PurgePin');
await signIn(page, g);
await page.goto('/account');
// Simulate clearAuth() — clears JWT + user_id but keeps PIN so the user can recover.
await page.evaluate(() => {
localStorage.removeItem('eventsnap_jwt');
localStorage.removeItem('eventsnap_user_id');
});
const remaining = await readStorage(page);
expect(remaining.jwt).toBeNull();
expect(remaining.userId).toBeNull();
expect(remaining.pin).toBe(g.pin);
});
});