e42d8a92a1
Adds an end-to-end Playwright test suite under e2e/ that spins up an
isolated docker-compose stack (Postgres :55432, Caddy :3101, backend with
EVENTSNAP_TEST_MODE=1, SvelteKit adapter-node frontend) and exercises the
SvelteKit app against the real Rust backend.
Phase 1 — happy paths covering every documented USER_JOURNEYS.md flow:
01-auth/ join, recover, admin login, leave event, PIN lockout
02-upload/ gallery picker (API path), rate-limit + admin toggle
03-feed/ like/comment SSE, filters, SSE reconnect on visibility
04-host/ event lock API, ban/unban, promote
05-admin/ config validation, foundational authz guards, stats
06-export/ /export status + download stub
__smoke/ cross-UA happy-path (runs on every UA project)
Phase 2 — adversarial + browser chaos:
07-adversarial/ XSS payloads (6 × display name path), SQLi shapes,
length / encoding / RTL override / NUL byte;
file-upload boundaries (ELF body claimed as JPEG,
oversize vs max_image_size_mb, zero-byte, NUL
filename, path-traversal, SVG-with-script);
JWT alg:none, signature/payload tamper, expired
session, PIN brute-force (serial + parallel),
admin password brute-force; deep authz (cross-user
delete, banned user across like/comment/feed-read,
host→admin escalation); small-scale DDoS (20× /join,
10MB comment body, 10 concurrent SSE).
08-browser-chaos/ localStorage / sessionStorage / cookie purge,
IndexedDB drop mid-session, offline → reconnect,
slow-3G, 503 flakes, 429 with no retry storm,
multi-tab same/different user, no-JS, hostile CSS,
clock skew ±1h / -2d, localStorage quota exhausted.
Phase 3 — mobile gestures (runs only on chromium-mobile / Pixel 7):
09-mobile/ touch-target ≥44px audit, env(safe-area-inset-bottom)
structural check, long-press (FeedListCard → ContextSheet,
quick-tap negation, click-suppression), double-tap
(feed card like + lightbox heart-burst, via synthetic
pointer events to bypass the first-tap-fires-click trap),
viewport reflow (portrait/landscape/narrow/phablet),
plus fixme stubs documenting planned gestures (swipe
lightbox L/R, swipe-down dismiss, pull-to-refresh,
long-press-comment).
Cross-UA matrix (chromium-engine projects run @smoke only):
chromium-pixel7, chromium-galaxy-s22, samsung-internet (Samsung UA
emulation on Galaxy viewport), edge-android, plus webkit-iphone,
chrome-ios, firefox-android, firefox-desktop — the latter four need
libavif16 on the host (Playwright dep) but the configs are in place.
Infrastructure:
- fixtures/test.ts central test.extend (api, db, adminToken, guest,
host, signIn). Per-test DB truncate via the dev-only POST
/admin/__truncate route, gated by EVENTSNAP_TEST_MODE=1.
- helpers/sse-listener.ts, helpers/upload-client.ts (Node-side
multipart for adversarial file-upload tests + JPEG/PNG/ELF magic
constants), helpers/touch.ts (longPress / doubleTap / swipe /
inlineStyle / computedStyle).
- 10 page objects covering every route + UploadSheet/Lightbox.
- global-setup waits for /health, logs in admin, disables every
rate-limit and quota toggle.
- .github/workflows/e2e.yml: PR check runs chromium-desktop + the
smoke matrix in parallel, uploads playwright-report/ and traces on
failure.
Findings the suite surfaces as live `[finding]` warnings (not silenced):
1. /admin/login has no rate-limit or lockout (bcrypt cost only).
2. PIN-attempt counter races under parallel /recover requests.
3. Zero-byte uploads pass /api/v1/upload.
4. SVG-with-script can pass the magic-byte check (consider CSP +
X-Content-Type-Options on /media/*).
Stack-internal docs live in e2e/README.md (UA tier table, Samsung
Internet escalation tiers A/B/C, debugging tips, roadmap).
Final tally: 134 passed / 0 failed / 9 skipped (test.fixme stubs for
not-yet-shipped gestures and one UI-upload-flow investigation).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
78 lines
2.3 KiB
YAML
78 lines
2.3 KiB
YAML
# Isolated EventSnap test stack. Mirrors production layout (Caddy → frontend +
|
|
# backend) but on its own ports, its own volumes, with rate-limits disabled and
|
|
# `EVENTSNAP_TEST_MODE=1` so the `/admin/__truncate` reset endpoint is live.
|
|
#
|
|
# Bring it up once before running the suite:
|
|
# npm run stack:up
|
|
# Tear it down (and wipe all volumes) after:
|
|
# npm run stack:down
|
|
#
|
|
# Port 3101 is the only externally exposed port: Caddy fronts everything.
|
|
|
|
services:
|
|
db:
|
|
image: postgres:16-alpine
|
|
environment:
|
|
POSTGRES_USER: eventsnap_test
|
|
POSTGRES_PASSWORD: eventsnap_test
|
|
POSTGRES_DB: eventsnap_test
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U eventsnap_test -d eventsnap_test"]
|
|
interval: 3s
|
|
timeout: 3s
|
|
retries: 30
|
|
ports:
|
|
- "55432:5432" # exposed so the e2e harness can connect via pg for fixture setup
|
|
|
|
app:
|
|
build:
|
|
context: ../backend
|
|
dockerfile: Dockerfile
|
|
depends_on:
|
|
db:
|
|
condition: service_healthy
|
|
environment:
|
|
DATABASE_URL: postgres://eventsnap_test:eventsnap_test@db:5432/eventsnap_test
|
|
JWT_SECRET: 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
|
|
# bcrypt hash for the literal string "admin-test-pw" (cost 4 — fast for tests).
|
|
# Generated once and committed. Verified with `bcrypt.compareSync`.
|
|
# The $ characters are doubled to escape compose interpolation.
|
|
ADMIN_PASSWORD_HASH: $$2b$$04$$XKJJkNX6BOi6y3S42DA5JOWwk4oxc8DHPL6.MrPfJI2vpnccZjP32
|
|
EVENT_SLUG: e2e-test-event
|
|
EVENT_NAME: E2E Test Event
|
|
APP_PORT: "3000"
|
|
MEDIA_PATH: /media
|
|
SESSION_EXPIRY_DAYS: "30"
|
|
EVENTSNAP_TEST_MODE: "1" # ENABLES /admin/__truncate — never set in prod
|
|
RUST_LOG: eventsnap_backend=info,tower_http=warn
|
|
volumes:
|
|
- media_data:/media
|
|
expose:
|
|
- "3000"
|
|
|
|
frontend:
|
|
build:
|
|
context: ../frontend
|
|
dockerfile: Dockerfile
|
|
depends_on:
|
|
- app
|
|
environment:
|
|
PORT: "3001"
|
|
HOST: "0.0.0.0"
|
|
ORIGIN: "http://localhost:3101"
|
|
expose:
|
|
- "3001"
|
|
|
|
caddy:
|
|
image: caddy:2-alpine
|
|
depends_on:
|
|
- app
|
|
- frontend
|
|
volumes:
|
|
- ./Caddyfile.test:/etc/caddy/Caddyfile:ro
|
|
ports:
|
|
- "3101:3101"
|
|
|
|
volumes:
|
|
media_data:
|