e42d8a92a1
Adds an end-to-end Playwright test suite under e2e/ that spins up an
isolated docker-compose stack (Postgres :55432, Caddy :3101, backend with
EVENTSNAP_TEST_MODE=1, SvelteKit adapter-node frontend) and exercises the
SvelteKit app against the real Rust backend.
Phase 1 — happy paths covering every documented USER_JOURNEYS.md flow:
01-auth/ join, recover, admin login, leave event, PIN lockout
02-upload/ gallery picker (API path), rate-limit + admin toggle
03-feed/ like/comment SSE, filters, SSE reconnect on visibility
04-host/ event lock API, ban/unban, promote
05-admin/ config validation, foundational authz guards, stats
06-export/ /export status + download stub
__smoke/ cross-UA happy-path (runs on every UA project)
Phase 2 — adversarial + browser chaos:
07-adversarial/ XSS payloads (6 × display name path), SQLi shapes,
length / encoding / RTL override / NUL byte;
file-upload boundaries (ELF body claimed as JPEG,
oversize vs max_image_size_mb, zero-byte, NUL
filename, path-traversal, SVG-with-script);
JWT alg:none, signature/payload tamper, expired
session, PIN brute-force (serial + parallel),
admin password brute-force; deep authz (cross-user
delete, banned user across like/comment/feed-read,
host→admin escalation); small-scale DDoS (20× /join,
10MB comment body, 10 concurrent SSE).
08-browser-chaos/ localStorage / sessionStorage / cookie purge,
IndexedDB drop mid-session, offline → reconnect,
slow-3G, 503 flakes, 429 with no retry storm,
multi-tab same/different user, no-JS, hostile CSS,
clock skew ±1h / -2d, localStorage quota exhausted.
Phase 3 — mobile gestures (runs only on chromium-mobile / Pixel 7):
09-mobile/ touch-target ≥44px audit, env(safe-area-inset-bottom)
structural check, long-press (FeedListCard → ContextSheet,
quick-tap negation, click-suppression), double-tap
(feed card like + lightbox heart-burst, via synthetic
pointer events to bypass the first-tap-fires-click trap),
viewport reflow (portrait/landscape/narrow/phablet),
plus fixme stubs documenting planned gestures (swipe
lightbox L/R, swipe-down dismiss, pull-to-refresh,
long-press-comment).
Cross-UA matrix (chromium-engine projects run @smoke only):
chromium-pixel7, chromium-galaxy-s22, samsung-internet (Samsung UA
emulation on Galaxy viewport), edge-android, plus webkit-iphone,
chrome-ios, firefox-android, firefox-desktop — the latter four need
libavif16 on the host (Playwright dep) but the configs are in place.
Infrastructure:
- fixtures/test.ts central test.extend (api, db, adminToken, guest,
host, signIn). Per-test DB truncate via the dev-only POST
/admin/__truncate route, gated by EVENTSNAP_TEST_MODE=1.
- helpers/sse-listener.ts, helpers/upload-client.ts (Node-side
multipart for adversarial file-upload tests + JPEG/PNG/ELF magic
constants), helpers/touch.ts (longPress / doubleTap / swipe /
inlineStyle / computedStyle).
- 10 page objects covering every route + UploadSheet/Lightbox.
- global-setup waits for /health, logs in admin, disables every
rate-limit and quota toggle.
- .github/workflows/e2e.yml: PR check runs chromium-desktop + the
smoke matrix in parallel, uploads playwright-report/ and traces on
failure.
Findings the suite surfaces as live `[finding]` warnings (not silenced):
1. /admin/login has no rate-limit or lockout (bcrypt cost only).
2. PIN-attempt counter races under parallel /recover requests.
3. Zero-byte uploads pass /api/v1/upload.
4. SVG-with-script can pass the magic-byte check (consider CSP +
X-Content-Type-Options on /media/*).
Stack-internal docs live in e2e/README.md (UA tier table, Samsung
Internet escalation tiers A/B/C, debugging tips, roadmap).
Final tally: 134 passed / 0 failed / 9 skipped (test.fixme stubs for
not-yet-shipped gestures and one UI-upload-flow investigation).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
104 lines
3.5 KiB
TypeScript
104 lines
3.5 KiB
TypeScript
/**
|
|
* Central `test.extend` for EventSnap E2E tests. Specs import `test` from here
|
|
* (not `@playwright/test` directly) so they get the shared fixtures: API
|
|
* client, DB helper, fresh admin token, and convenience factories.
|
|
*
|
|
* Every test runs against a freshly truncated database (via the `truncate`
|
|
* auto-fixture). Because truncate wipes the `session` table, any admin JWT
|
|
* obtained before truncate becomes invalid afterwards — so the
|
|
* `truncate` fixture always does its own admin login, and the `adminToken`
|
|
* fixture re-logs-in per test instead of caching. bcrypt cost 4 → ~10 ms,
|
|
* negligible against the ~1 s per-test setup overhead.
|
|
*/
|
|
import { test as base, expect, type Page } from '@playwright/test';
|
|
import { ApiClient } from './api-client';
|
|
import { db } from './db';
|
|
|
|
type GuestHandle = {
|
|
jwt: string;
|
|
pin: string;
|
|
userId: string;
|
|
displayName: string;
|
|
};
|
|
|
|
type Fixtures = {
|
|
api: ApiClient;
|
|
db: typeof db;
|
|
adminToken: string;
|
|
truncate: void;
|
|
guest: (displayName?: string) => Promise<GuestHandle>;
|
|
host: GuestHandle;
|
|
/** Apply an existing guest's JWT + PIN to the page's localStorage and reload. */
|
|
signIn: (page: Page, handle: GuestHandle) => Promise<void>;
|
|
};
|
|
|
|
export const test = base.extend<Fixtures>({
|
|
api: async ({}, use) => {
|
|
await use(new ApiClient());
|
|
},
|
|
|
|
db: async ({}, use) => {
|
|
await use(db);
|
|
},
|
|
|
|
// Auto-fixture: runs before every test, truncates the DB so each test starts
|
|
// clean. Acquires its OWN admin token because the previous test's truncate
|
|
// wiped the session row that backs any cached token.
|
|
truncate: [
|
|
async ({ api }, use) => {
|
|
const token = await api.adminLogin();
|
|
await api.truncate(token);
|
|
await use();
|
|
},
|
|
{ auto: true, scope: 'test' },
|
|
],
|
|
|
|
// Fresh admin login per test that asks for it. Comes AFTER the truncate
|
|
// auto-fixture has run (truncate doesn't depend on adminToken, so the
|
|
// dependency-free truncate runs first; this fixture then logs in on a
|
|
// freshly reset DB).
|
|
adminToken: async ({ api }, use) => {
|
|
const token = await api.adminLogin();
|
|
await use(token);
|
|
},
|
|
|
|
guest: async ({ api }, use) => {
|
|
let counter = 0;
|
|
const factory = async (displayName?: string): Promise<GuestHandle> => {
|
|
const name = displayName ?? `Gast${++counter}_${Math.random().toString(36).slice(2, 6)}`;
|
|
const res = await api.join(name);
|
|
return { jwt: res.jwt, pin: res.pin, userId: res.user_id, displayName: name };
|
|
};
|
|
await use(factory);
|
|
},
|
|
|
|
host: async ({ api, guest, adminToken }, use) => {
|
|
const h = await guest('TestHost');
|
|
await api.setRole(adminToken, h.userId, 'host');
|
|
// Role is encoded in the JWT — re-recover to get a fresh token with role=host.
|
|
const { body } = await api.recover(h.displayName, h.pin);
|
|
await use({ ...h, jwt: body.jwt });
|
|
},
|
|
|
|
signIn: async ({}, use) => {
|
|
const fn = async (page: Page, handle: GuestHandle) => {
|
|
// Visit any in-app URL first so localStorage is scoped to the right origin.
|
|
await page.goto('/');
|
|
await page.evaluate(
|
|
({ jwt, pin, userId, displayName }) => {
|
|
localStorage.setItem('eventsnap_jwt', jwt);
|
|
localStorage.setItem('eventsnap_pin', pin);
|
|
localStorage.setItem('eventsnap_user_id', userId);
|
|
localStorage.setItem('eventsnap_display_name', displayName);
|
|
localStorage.setItem('eventsnap_guide_seen', 'true');
|
|
},
|
|
handle
|
|
);
|
|
await page.goto('/feed');
|
|
};
|
|
await use(fn);
|
|
},
|
|
});
|
|
|
|
export { expect };
|