feat(e2e): Playwright suite — 134 tests across 9 spec areas + UA matrix

Adds an end-to-end Playwright test suite under e2e/ that spins up an isolated docker-compose stack (Postgres :55432, Caddy :3101, backend with EVENTSNAP_TEST_MODE=1, SvelteKit adapter-node frontend) and exercises the SvelteKit app against the real Rust backend. Phase 1 — happy paths covering every documented USER_JOURNEYS.md flow: 01-auth/ join, recover, admin login, leave event, PIN lockout 02-upload/ gallery picker (API path), rate-limit + admin toggle 03-feed/ like/comment SSE, filters, SSE reconnect on visibility 04-host/ event lock API, ban/unban, promote 05-admin/ config validation, foundational authz guards, stats 06-export/ /export status + download stub __smoke/ cross-UA happy-path (runs on every UA project) Phase 2 — adversarial + browser chaos: 07-adversarial/ XSS payloads (6 × display name path), SQLi shapes, length / encoding / RTL override / NUL byte; file-upload boundaries (ELF body claimed as JPEG, oversize vs max_image_size_mb, zero-byte, NUL filename, path-traversal, SVG-with-script); JWT alg:none, signature/payload tamper, expired session, PIN brute-force (serial + parallel), admin password brute-force; deep authz (cross-user delete, banned user across like/comment/feed-read, host→admin escalation); small-scale DDoS (20× /join, 10MB comment body, 10 concurrent SSE). 08-browser-chaos/ localStorage / sessionStorage / cookie purge, IndexedDB drop mid-session, offline → reconnect, slow-3G, 503 flakes, 429 with no retry storm, multi-tab same/different user, no-JS, hostile CSS, clock skew ±1h / -2d, localStorage quota exhausted. Phase 3 — mobile gestures (runs only on chromium-mobile / Pixel 7): 09-mobile/ touch-target ≥44px audit, env(safe-area-inset-bottom) structural check, long-press (FeedListCard → ContextSheet, quick-tap negation, click-suppression), double-tap (feed card like + lightbox heart-burst, via synthetic pointer events to bypass the first-tap-fires-click trap), viewport reflow (portrait/landscape/narrow/phablet), plus fixme stubs documenting planned gestures (swipe lightbox L/R, swipe-down dismiss, pull-to-refresh, long-press-comment). Cross-UA matrix (chromium-engine projects run @smoke only): chromium-pixel7, chromium-galaxy-s22, samsung-internet (Samsung UA emulation on Galaxy viewport), edge-android, plus webkit-iphone, chrome-ios, firefox-android, firefox-desktop — the latter four need libavif16 on the host (Playwright dep) but the configs are in place. Infrastructure: - fixtures/test.ts central test.extend (api, db, adminToken, guest, host, signIn). Per-test DB truncate via the dev-only POST /admin/__truncate route, gated by EVENTSNAP_TEST_MODE=1. - helpers/sse-listener.ts, helpers/upload-client.ts (Node-side multipart for adversarial file-upload tests + JPEG/PNG/ELF magic constants), helpers/touch.ts (longPress / doubleTap / swipe / inlineStyle / computedStyle). - 10 page objects covering every route + UploadSheet/Lightbox. - global-setup waits for /health, logs in admin, disables every rate-limit and quota toggle. - .github/workflows/e2e.yml: PR check runs chromium-desktop + the smoke matrix in parallel, uploads playwright-report/ and traces on failure. Findings the suite surfaces as live `[finding]` warnings (not silenced): 1. /admin/login has no rate-limit or lockout (bcrypt cost only). 2. PIN-attempt counter races under parallel /recover requests. 3. Zero-byte uploads pass /api/v1/upload. 4. SVG-with-script can pass the magic-byte check (consider CSP + X-Content-Type-Options on /media/*). Stack-internal docs live in e2e/README.md (UA tier table, Samsung Internet escalation tiers A/B/C, debugging tips, roadmap). Final tally: 134 passed / 0 failed / 9 skipped (test.fixme stubs for not-yet-shipped gestures and one UI-upload-flow investigation). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 19:02:29 +02:00
parent 1cdab21514
commit e42d8a92a1
64 changed files with 4174 additions and 0 deletions
--- a/e2e/specs/08-browser-chaos/environment.spec.ts
+++ b/e2e/specs/08-browser-chaos/environment.spec.ts
@@ -0,0 +1,93 @@
+/**
+ * Phase 2 browser chaos — odd browser environments. JS disabled,
+ * clock skew, localStorage quota exhaustion, hostile extensions.
+ */
+import { test, expect } from '../../fixtures/test';
+
+test.describe('Browser chaos — environment', () => {
+  test('JavaScript disabled — app surfaces SOMETHING (not white screen)', async ({ browser }) => {
+    const ctx = await browser.newContext({ javaScriptEnabled: false });
+    const page = await ctx.newPage();
+    const res = await page.goto('http://localhost:3101/join');
+    // SvelteKit's adapter-node SSR should at least return the basic HTML shell.
+    expect(res?.status()).toBeLessThan(500);
+    const html = await page.content();
+    expect(html.length).toBeGreaterThan(200);
+    await ctx.close();
+  });
+
+  test('localStorage quota exhausted — writing JWT does not crash the app', async ({ page, guest, signIn }) => {
+    const g = await guest('QuotaFull');
+
+    // Pre-fill localStorage with junk to push us near the quota.
+    await page.goto('http://localhost:3101/');
+    await page.evaluate(() => {
+      try {
+        const big = 'x'.repeat(1024 * 1024); // 1 MiB chunks
+        for (let i = 0; i < 5; i++) localStorage.setItem(`__junk_${i}`, big);
+      } catch {
+        /* hit the quota — fine */
+      }
+    });
+
+    // Now sign in — even if the storage write throws, the app must handle it.
+    const errors: Error[] = [];
+    page.on('pageerror', (e) => errors.push(e));
+    await signIn(page, g).catch(() => {
+      /* signIn relies on writing to localStorage; failure here is the assertion */
+    });
+
+    // Cleanup so other tests aren't affected.
+    await page.evaluate(() => {
+      for (let i = 0; i < 5; i++) localStorage.removeItem(`__junk_${i}`);
+    });
+
+    // Unhandled errors are the failure mode we care about.
+    expect(errors.filter((e) => !/storage|quota/i.test(e.message))).toHaveLength(0);
+  });
+
+  test('hostile extension simulation: CSS hiding bottom nav does not break navigation', async ({ page, guest, signIn }) => {
+    const g = await guest('HostileCss');
+    await signIn(page, g);
+    await page.goto('/feed');
+
+    // Inject CSS that hides the entire bottom nav (like an aggressive content blocker would).
+    await page.addStyleTag({ content: 'nav { display: none !important; }' });
+
+    // The link is still in the DOM and reachable by URL even if visually hidden.
+    await page.goto('/account');
+    await expect(page).toHaveURL(/\/account$/);
+  });
+
+  test('clock skew: browser ahead by 1 hour — JWT still valid (no nbf claim)', async ({ page, guest, signIn }) => {
+    const g = await guest('ClockSkew');
+
+    // Override Date.now() to be 1h in the future BEFORE the JWT check.
+    await page.addInitScript(() => {
+      const real = Date.now;
+      const offset = 3600 * 1000;
+      Date.now = () => real() + offset;
+    });
+
+    await signIn(page, g);
+    await page.goto('/feed');
+    await expect(page.getByRole('link', { name: 'Galerie' })).toBeVisible();
+  });
+
+  test('clock skew: browser behind by 2 days — JWT exp may be in the past, app handles 401', async ({ page, guest, signIn }) => {
+    const g = await guest('ClockBack');
+
+    await page.addInitScript(() => {
+      const real = Date.now;
+      const offset = 2 * 86400 * 1000;
+      Date.now = () => real() - offset;
+    });
+
+    // Client-side `getExpiry()` in auth.ts may think the token is expired and clear it.
+    // Either way, the app must not crash.
+    await signIn(page, g).catch(() => {});
+    await page.goto('/');
+    const url = new URL(page.url());
+    expect(['/join', '/feed', '/'].includes(url.pathname) || url.pathname === '/').toBe(true);
+  });
+});