feat(e2e): Playwright suite — 134 tests across 9 spec areas + UA matrix
Adds an end-to-end Playwright test suite under e2e/ that spins up an
isolated docker-compose stack (Postgres :55432, Caddy :3101, backend with
EVENTSNAP_TEST_MODE=1, SvelteKit adapter-node frontend) and exercises the
SvelteKit app against the real Rust backend.
Phase 1 — happy paths covering every documented USER_JOURNEYS.md flow:
01-auth/ join, recover, admin login, leave event, PIN lockout
02-upload/ gallery picker (API path), rate-limit + admin toggle
03-feed/ like/comment SSE, filters, SSE reconnect on visibility
04-host/ event lock API, ban/unban, promote
05-admin/ config validation, foundational authz guards, stats
06-export/ /export status + download stub
__smoke/ cross-UA happy-path (runs on every UA project)
Phase 2 — adversarial + browser chaos:
07-adversarial/ XSS payloads (6 × display name path), SQLi shapes,
length / encoding / RTL override / NUL byte;
file-upload boundaries (ELF body claimed as JPEG,
oversize vs max_image_size_mb, zero-byte, NUL
filename, path-traversal, SVG-with-script);
JWT alg:none, signature/payload tamper, expired
session, PIN brute-force (serial + parallel),
admin password brute-force; deep authz (cross-user
delete, banned user across like/comment/feed-read,
host→admin escalation); small-scale DDoS (20× /join,
10MB comment body, 10 concurrent SSE).
08-browser-chaos/ localStorage / sessionStorage / cookie purge,
IndexedDB drop mid-session, offline → reconnect,
slow-3G, 503 flakes, 429 with no retry storm,
multi-tab same/different user, no-JS, hostile CSS,
clock skew ±1h / -2d, localStorage quota exhausted.
Phase 3 — mobile gestures (runs only on chromium-mobile / Pixel 7):
09-mobile/ touch-target ≥44px audit, env(safe-area-inset-bottom)
structural check, long-press (FeedListCard → ContextSheet,
quick-tap negation, click-suppression), double-tap
(feed card like + lightbox heart-burst, via synthetic
pointer events to bypass the first-tap-fires-click trap),
viewport reflow (portrait/landscape/narrow/phablet),
plus fixme stubs documenting planned gestures (swipe
lightbox L/R, swipe-down dismiss, pull-to-refresh,
long-press-comment).
Cross-UA matrix (chromium-engine projects run @smoke only):
chromium-pixel7, chromium-galaxy-s22, samsung-internet (Samsung UA
emulation on Galaxy viewport), edge-android, plus webkit-iphone,
chrome-ios, firefox-android, firefox-desktop — the latter four need
libavif16 on the host (Playwright dep) but the configs are in place.
Infrastructure:
- fixtures/test.ts central test.extend (api, db, adminToken, guest,
host, signIn). Per-test DB truncate via the dev-only POST
/admin/__truncate route, gated by EVENTSNAP_TEST_MODE=1.
- helpers/sse-listener.ts, helpers/upload-client.ts (Node-side
multipart for adversarial file-upload tests + JPEG/PNG/ELF magic
constants), helpers/touch.ts (longPress / doubleTap / swipe /
inlineStyle / computedStyle).
- 10 page objects covering every route + UploadSheet/Lightbox.
- global-setup waits for /health, logs in admin, disables every
rate-limit and quota toggle.
- .github/workflows/e2e.yml: PR check runs chromium-desktop + the
smoke matrix in parallel, uploads playwright-report/ and traces on
failure.
Findings the suite surfaces as live `[finding]` warnings (not silenced):
1. /admin/login has no rate-limit or lockout (bcrypt cost only).
2. PIN-attempt counter races under parallel /recover requests.
3. Zero-byte uploads pass /api/v1/upload.
4. SVG-with-script can pass the magic-byte check (consider CSP +
X-Content-Type-Options on /media/*).
Stack-internal docs live in e2e/README.md (UA tier table, Samsung
Internet escalation tiers A/B/C, debugging tips, roadmap).
Final tally: 134 passed / 0 failed / 9 skipped (test.fixme stubs for
not-yet-shipped gestures and one UI-upload-flow investigation).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
92
e2e/specs/08-browser-chaos/storage-purge.spec.ts
Normal file
92
e2e/specs/08-browser-chaos/storage-purge.spec.ts
Normal file
@@ -0,0 +1,92 @@
|
||||
/**
|
||||
* Phase 2 browser chaos — what happens when the browser drops state mid-session?
|
||||
*
|
||||
* Real users: Safari ITP, "Clear browsing data", incognito mode expiring,
|
||||
* extensions that wipe storage on tab close. The app must NEVER white-screen
|
||||
* or expose other users' data when its own state vanishes.
|
||||
*/
|
||||
import { test, expect } from '../../fixtures/test';
|
||||
import { readStorage, clearLocalStorage, clearAllStorage } from '../../helpers/storage-helpers';
|
||||
|
||||
test.describe('Browser chaos — storage purge', () => {
|
||||
test('localStorage.clear() mid-session → next nav goes to /join, no crash', async ({ page, guest, signIn }) => {
|
||||
const g = await guest('Purge1');
|
||||
await signIn(page, g);
|
||||
await page.goto('/feed');
|
||||
await expect(page.getByRole('link', { name: 'Galerie' })).toBeVisible();
|
||||
|
||||
// Listen for any unhandled page errors so a crash is visible.
|
||||
const errors: Error[] = [];
|
||||
page.on('pageerror', (e) => errors.push(e));
|
||||
|
||||
await clearLocalStorage(page);
|
||||
await page.goto('/feed');
|
||||
|
||||
// The app may redirect to /join, render an empty feed with a "sign in" prompt, or
|
||||
// surface the join screen inline. Any of these is fine — the assertion is "no crash".
|
||||
expect(errors.filter((e) => !e.message.includes('AbortError'))).toHaveLength(0);
|
||||
|
||||
// Eventually the user lands somewhere they can recover from.
|
||||
const url = new URL(page.url());
|
||||
expect(['/join', '/feed', '/recover', '/']).toContain(url.pathname);
|
||||
});
|
||||
|
||||
test('cookies cleared mid-session — JWT in localStorage still works (no cookie dependency)', async ({ page, guest, signIn }) => {
|
||||
const g = await guest('Purge2');
|
||||
await signIn(page, g);
|
||||
await page.goto('/feed');
|
||||
|
||||
await page.context().clearCookies();
|
||||
|
||||
// The api.ts client reads from localStorage, not cookies, so a /me/context call should still work.
|
||||
const stillAuthed = await page.evaluate(async () => {
|
||||
const res = await fetch('/api/v1/me/context', {
|
||||
headers: { Authorization: `Bearer ${localStorage.getItem('eventsnap_jwt')}` },
|
||||
});
|
||||
return res.status;
|
||||
});
|
||||
expect(stillAuthed).toBe(200);
|
||||
});
|
||||
|
||||
test('sessionStorage cleared has no effect on auth (auth lives in localStorage)', async ({ page, guest, signIn }) => {
|
||||
const g = await guest('Purge3');
|
||||
await signIn(page, g);
|
||||
await page.goto('/feed');
|
||||
|
||||
await page.evaluate(() => sessionStorage.clear());
|
||||
await page.reload();
|
||||
|
||||
const storage = await readStorage(page);
|
||||
expect(storage.jwt).toBeTruthy(); // localStorage survived
|
||||
await expect(page.getByRole('link', { name: 'Galerie' })).toBeVisible();
|
||||
});
|
||||
|
||||
test('clearAllStorage on /admin forces re-login', async ({ page, api }) => {
|
||||
const adminJwt = await api.adminLogin();
|
||||
await page.goto('/');
|
||||
await page.evaluate((j) => localStorage.setItem('eventsnap_jwt', j), adminJwt);
|
||||
await page.goto('/admin');
|
||||
|
||||
await clearAllStorage(page);
|
||||
|
||||
await page.goto('/admin');
|
||||
// The admin layout should bounce them to /admin/login when the JWT is gone.
|
||||
await page.waitForURL(/admin\/login|join/, { timeout: 5_000 });
|
||||
});
|
||||
|
||||
test('PIN survives clearAuth (intentional per auth.ts comment)', async ({ page, guest, signIn }) => {
|
||||
const g = await guest('PurgePin');
|
||||
await signIn(page, g);
|
||||
await page.goto('/account');
|
||||
|
||||
// Simulate clearAuth() — clears JWT + user_id but keeps PIN so the user can recover.
|
||||
await page.evaluate(() => {
|
||||
localStorage.removeItem('eventsnap_jwt');
|
||||
localStorage.removeItem('eventsnap_user_id');
|
||||
});
|
||||
const remaining = await readStorage(page);
|
||||
expect(remaining.jwt).toBeNull();
|
||||
expect(remaining.userId).toBeNull();
|
||||
expect(remaining.pin).toBe(g.pin);
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user