EventSnap

fabi/EventSnap

Fork 0

Commit Graph

Author	SHA1	Message	Date
MechaCat02	309c25bc06	feat(frontend): UX review followups — primitives + a11y/UX fixes across 4 passes New shared primitives: - Toaster + toast-store, ConfirmSheet, Modal, focusTrap action, pullToRefresh action, avatarPalette + initials helper, Skeleton, HeartBurst, haptics, export-status store with onClearAuth hook Critical UX/a11y: - Replaced window.confirm with branded ConfirmSheet - Focus management + Escape on every modal (PIN, Lightbox, Onboarding, ContextSheet, data-mode sheet, leave-confirm, HTML guide, host/admin ban + PIN-display modals) - Sheet backdrops are real buttons with aria-label - Silent ApiError catches now surface via global Toaster Major polish: - Dark-mode parity on HashtagChips + avatars (shared palette) - Conditional Export tab in BottomNav (badge dot when ZIP ready) - Back chevrons on /recover (history-aware) and /export - Upload composer discard confirmation when content is staged - Camera segmented Photo/Video shutter - PIN auto-submit on 4th digit, paste-flash-free (controlled input) - Welcome-back toast on /feed after PIN recovery Minor: - Skeleton states on feed; pull-to-refresh with live drag indicator - Haptics on like / capture / submit / PIN-copy / onboarding complete - Comment 500-char counter; quota "Fast voll" / "Limit erreicht" labels - Onboarding pip ≥24px tap targets; long-press hint step - overscroll-behavior lock on <html> while feed mounted - teardownExportStatus wired via onClearAuth (covers 401 + explicit logout) - ConfirmSheet per-instance titleId; Modal requires titleId or ariaLabel Tests (7 new Playwright specs): - 01-auth/pin-auto-submit, 01-auth/back-chevron - 03-feed/confirm-sheet-delete, 03-feed/toast-on-failure - 09-mobile/focus-trap, 09-mobile/sheet-escape, 09-mobile/upload-cancel-confirm FOLLOWUPS.md captures the deferred AT inert containment work with acceptance criteria + implementation sketches. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 22:50:28 +02:00
MechaCat02	e42d8a92a1	feat(e2e): Playwright suite — 134 tests across 9 spec areas + UA matrix Adds an end-to-end Playwright test suite under e2e/ that spins up an isolated docker-compose stack (Postgres :55432, Caddy :3101, backend with EVENTSNAP_TEST_MODE=1, SvelteKit adapter-node frontend) and exercises the SvelteKit app against the real Rust backend. Phase 1 — happy paths covering every documented USER_JOURNEYS.md flow: 01-auth/ join, recover, admin login, leave event, PIN lockout 02-upload/ gallery picker (API path), rate-limit + admin toggle 03-feed/ like/comment SSE, filters, SSE reconnect on visibility 04-host/ event lock API, ban/unban, promote 05-admin/ config validation, foundational authz guards, stats 06-export/ /export status + download stub __smoke/ cross-UA happy-path (runs on every UA project) Phase 2 — adversarial + browser chaos: 07-adversarial/ XSS payloads (6 × display name path), SQLi shapes, length / encoding / RTL override / NUL byte; file-upload boundaries (ELF body claimed as JPEG, oversize vs max_image_size_mb, zero-byte, NUL filename, path-traversal, SVG-with-script); JWT alg:none, signature/payload tamper, expired session, PIN brute-force (serial + parallel), admin password brute-force; deep authz (cross-user delete, banned user across like/comment/feed-read, host→admin escalation); small-scale DDoS (20× /join, 10MB comment body, 10 concurrent SSE). 08-browser-chaos/ localStorage / sessionStorage / cookie purge, IndexedDB drop mid-session, offline → reconnect, slow-3G, 503 flakes, 429 with no retry storm, multi-tab same/different user, no-JS, hostile CSS, clock skew ±1h / -2d, localStorage quota exhausted. Phase 3 — mobile gestures (runs only on chromium-mobile / Pixel 7): 09-mobile/ touch-target ≥44px audit, env(safe-area-inset-bottom) structural check, long-press (FeedListCard → ContextSheet, quick-tap negation, click-suppression), double-tap (feed card like + lightbox heart-burst, via synthetic pointer events to bypass the first-tap-fires-click trap), viewport reflow (portrait/landscape/narrow/phablet), plus fixme stubs documenting planned gestures (swipe lightbox L/R, swipe-down dismiss, pull-to-refresh, long-press-comment). Cross-UA matrix (chromium-engine projects run @smoke only): chromium-pixel7, chromium-galaxy-s22, samsung-internet (Samsung UA emulation on Galaxy viewport), edge-android, plus webkit-iphone, chrome-ios, firefox-android, firefox-desktop — the latter four need libavif16 on the host (Playwright dep) but the configs are in place. Infrastructure: - fixtures/test.ts central test.extend (api, db, adminToken, guest, host, signIn). Per-test DB truncate via the dev-only POST /admin/__truncate route, gated by EVENTSNAP_TEST_MODE=1. - helpers/sse-listener.ts, helpers/upload-client.ts (Node-side multipart for adversarial file-upload tests + JPEG/PNG/ELF magic constants), helpers/touch.ts (longPress / doubleTap / swipe / inlineStyle / computedStyle). - 10 page objects covering every route + UploadSheet/Lightbox. - global-setup waits for /health, logs in admin, disables every rate-limit and quota toggle. - .github/workflows/e2e.yml: PR check runs chromium-desktop + the smoke matrix in parallel, uploads playwright-report/ and traces on failure. Findings the suite surfaces as live `[finding]` warnings (not silenced): 1. /admin/login has no rate-limit or lockout (bcrypt cost only). 2. PIN-attempt counter races under parallel /recover requests. 3. Zero-byte uploads pass /api/v1/upload. 4. SVG-with-script can pass the magic-byte check (consider CSP + X-Content-Type-Options on /media/*). Stack-internal docs live in e2e/README.md (UA tier table, Samsung Internet escalation tiers A/B/C, debugging tips, roadmap). Final tally: 134 passed / 0 failed / 9 skipped (test.fixme stubs for not-yet-shipped gestures and one UI-upload-flow investigation). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-16 19:37:11 +02:00

Author

SHA1

Message

Date

MechaCat02

309c25bc06

feat(frontend): UX review followups — primitives + a11y/UX fixes across 4 passes

New shared primitives:
- Toaster + toast-store, ConfirmSheet, Modal, focusTrap action,
  pullToRefresh action, avatarPalette + initials helper, Skeleton,
  HeartBurst, haptics, export-status store with onClearAuth hook

Critical UX/a11y:
- Replaced window.confirm with branded ConfirmSheet
- Focus management + Escape on every modal (PIN, Lightbox,
  Onboarding, ContextSheet, data-mode sheet, leave-confirm,
  HTML guide, host/admin ban + PIN-display modals)
- Sheet backdrops are real buttons with aria-label
- Silent ApiError catches now surface via global Toaster

Major polish:
- Dark-mode parity on HashtagChips + avatars (shared palette)
- Conditional Export tab in BottomNav (badge dot when ZIP ready)
- Back chevrons on /recover (history-aware) and /export
- Upload composer discard confirmation when content is staged
- Camera segmented Photo/Video shutter
- PIN auto-submit on 4th digit, paste-flash-free (controlled input)
- Welcome-back toast on /feed after PIN recovery

Minor:
- Skeleton states on feed; pull-to-refresh with live drag indicator
- Haptics on like / capture / submit / PIN-copy / onboarding complete
- Comment 500-char counter; quota "Fast voll" / "Limit erreicht" labels
- Onboarding pip ≥24px tap targets; long-press hint step
- overscroll-behavior lock on <html> while feed mounted
- teardownExportStatus wired via onClearAuth (covers 401 + explicit logout)
- ConfirmSheet per-instance titleId; Modal requires titleId or ariaLabel

Tests (7 new Playwright specs):
- 01-auth/pin-auto-submit, 01-auth/back-chevron
- 03-feed/confirm-sheet-delete, 03-feed/toast-on-failure
- 09-mobile/focus-trap, 09-mobile/sheet-escape,
  09-mobile/upload-cancel-confirm

FOLLOWUPS.md captures the deferred AT inert containment work
with acceptance criteria + implementation sketches.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-24 22:50:28 +02:00

MechaCat02

e42d8a92a1

feat(e2e): Playwright suite — 134 tests across 9 spec areas + UA matrix

Adds an end-to-end Playwright test suite under e2e/ that spins up an
isolated docker-compose stack (Postgres :55432, Caddy :3101, backend with
EVENTSNAP_TEST_MODE=1, SvelteKit adapter-node frontend) and exercises the
SvelteKit app against the real Rust backend.

Phase 1 — happy paths covering every documented USER_JOURNEYS.md flow:
  01-auth/      join, recover, admin login, leave event, PIN lockout
  02-upload/    gallery picker (API path), rate-limit + admin toggle
  03-feed/      like/comment SSE, filters, SSE reconnect on visibility
  04-host/      event lock API, ban/unban, promote
  05-admin/     config validation, foundational authz guards, stats
  06-export/    /export status + download stub
  __smoke/      cross-UA happy-path (runs on every UA project)

Phase 2 — adversarial + browser chaos:
  07-adversarial/  XSS payloads (6 × display name path), SQLi shapes,
                   length / encoding / RTL override / NUL byte;
                   file-upload boundaries (ELF body claimed as JPEG,
                   oversize vs max_image_size_mb, zero-byte, NUL
                   filename, path-traversal, SVG-with-script);
                   JWT alg:none, signature/payload tamper, expired
                   session, PIN brute-force (serial + parallel),
                   admin password brute-force; deep authz (cross-user
                   delete, banned user across like/comment/feed-read,
                   host→admin escalation); small-scale DDoS (20× /join,
                   10MB comment body, 10 concurrent SSE).
  08-browser-chaos/ localStorage / sessionStorage / cookie purge,
                    IndexedDB drop mid-session, offline → reconnect,
                    slow-3G, 503 flakes, 429 with no retry storm,
                    multi-tab same/different user, no-JS, hostile CSS,
                    clock skew ±1h / -2d, localStorage quota exhausted.

Phase 3 — mobile gestures (runs only on chromium-mobile / Pixel 7):
  09-mobile/    touch-target ≥44px audit, env(safe-area-inset-bottom)
                structural check, long-press (FeedListCard → ContextSheet,
                quick-tap negation, click-suppression), double-tap
                (feed card like + lightbox heart-burst, via synthetic
                pointer events to bypass the first-tap-fires-click trap),
                viewport reflow (portrait/landscape/narrow/phablet),
                plus fixme stubs documenting planned gestures (swipe
                lightbox L/R, swipe-down dismiss, pull-to-refresh,
                long-press-comment).

Cross-UA matrix (chromium-engine projects run @smoke only):
  chromium-pixel7, chromium-galaxy-s22, samsung-internet (Samsung UA
  emulation on Galaxy viewport), edge-android, plus webkit-iphone,
  chrome-ios, firefox-android, firefox-desktop — the latter four need
  libavif16 on the host (Playwright dep) but the configs are in place.

Infrastructure:
  - fixtures/test.ts central test.extend (api, db, adminToken, guest,
    host, signIn). Per-test DB truncate via the dev-only POST
    /admin/__truncate route, gated by EVENTSNAP_TEST_MODE=1.
  - helpers/sse-listener.ts, helpers/upload-client.ts (Node-side
    multipart for adversarial file-upload tests + JPEG/PNG/ELF magic
    constants), helpers/touch.ts (longPress / doubleTap / swipe /
    inlineStyle / computedStyle).
  - 10 page objects covering every route + UploadSheet/Lightbox.
  - global-setup waits for /health, logs in admin, disables every
    rate-limit and quota toggle.
  - .github/workflows/e2e.yml: PR check runs chromium-desktop + the
    smoke matrix in parallel, uploads playwright-report/ and traces on
    failure.

Findings the suite surfaces as live `[finding]` warnings (not silenced):
  1. /admin/login has no rate-limit or lockout (bcrypt cost only).
  2. PIN-attempt counter races under parallel /recover requests.
  3. Zero-byte uploads pass /api/v1/upload.
  4. SVG-with-script can pass the magic-byte check (consider CSP +
     X-Content-Type-Options on /media/*).

Stack-internal docs live in e2e/README.md (UA tier table, Samsung
Internet escalation tiers A/B/C, debugging tips, roadmap).

Final tally: 134 passed / 0 failed / 9 skipped (test.fixme stubs for
not-yet-shipped gestures and one UI-upload-flow investigation).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-16 19:37:11 +02:00

2 Commits