e42d8a92a1
Adds an end-to-end Playwright test suite under e2e/ that spins up an
isolated docker-compose stack (Postgres :55432, Caddy :3101, backend with
EVENTSNAP_TEST_MODE=1, SvelteKit adapter-node frontend) and exercises the
SvelteKit app against the real Rust backend.
Phase 1 — happy paths covering every documented USER_JOURNEYS.md flow:
01-auth/ join, recover, admin login, leave event, PIN lockout
02-upload/ gallery picker (API path), rate-limit + admin toggle
03-feed/ like/comment SSE, filters, SSE reconnect on visibility
04-host/ event lock API, ban/unban, promote
05-admin/ config validation, foundational authz guards, stats
06-export/ /export status + download stub
__smoke/ cross-UA happy-path (runs on every UA project)
Phase 2 — adversarial + browser chaos:
07-adversarial/ XSS payloads (6 × display name path), SQLi shapes,
length / encoding / RTL override / NUL byte;
file-upload boundaries (ELF body claimed as JPEG,
oversize vs max_image_size_mb, zero-byte, NUL
filename, path-traversal, SVG-with-script);
JWT alg:none, signature/payload tamper, expired
session, PIN brute-force (serial + parallel),
admin password brute-force; deep authz (cross-user
delete, banned user across like/comment/feed-read,
host→admin escalation); small-scale DDoS (20× /join,
10MB comment body, 10 concurrent SSE).
08-browser-chaos/ localStorage / sessionStorage / cookie purge,
IndexedDB drop mid-session, offline → reconnect,
slow-3G, 503 flakes, 429 with no retry storm,
multi-tab same/different user, no-JS, hostile CSS,
clock skew ±1h / -2d, localStorage quota exhausted.
Phase 3 — mobile gestures (runs only on chromium-mobile / Pixel 7):
09-mobile/ touch-target ≥44px audit, env(safe-area-inset-bottom)
structural check, long-press (FeedListCard → ContextSheet,
quick-tap negation, click-suppression), double-tap
(feed card like + lightbox heart-burst, via synthetic
pointer events to bypass the first-tap-fires-click trap),
viewport reflow (portrait/landscape/narrow/phablet),
plus fixme stubs documenting planned gestures (swipe
lightbox L/R, swipe-down dismiss, pull-to-refresh,
long-press-comment).
Cross-UA matrix (chromium-engine projects run @smoke only):
chromium-pixel7, chromium-galaxy-s22, samsung-internet (Samsung UA
emulation on Galaxy viewport), edge-android, plus webkit-iphone,
chrome-ios, firefox-android, firefox-desktop — the latter four need
libavif16 on the host (Playwright dep) but the configs are in place.
Infrastructure:
- fixtures/test.ts central test.extend (api, db, adminToken, guest,
host, signIn). Per-test DB truncate via the dev-only POST
/admin/__truncate route, gated by EVENTSNAP_TEST_MODE=1.
- helpers/sse-listener.ts, helpers/upload-client.ts (Node-side
multipart for adversarial file-upload tests + JPEG/PNG/ELF magic
constants), helpers/touch.ts (longPress / doubleTap / swipe /
inlineStyle / computedStyle).
- 10 page objects covering every route + UploadSheet/Lightbox.
- global-setup waits for /health, logs in admin, disables every
rate-limit and quota toggle.
- .github/workflows/e2e.yml: PR check runs chromium-desktop + the
smoke matrix in parallel, uploads playwright-report/ and traces on
failure.
Findings the suite surfaces as live `[finding]` warnings (not silenced):
1. /admin/login has no rate-limit or lockout (bcrypt cost only).
2. PIN-attempt counter races under parallel /recover requests.
3. Zero-byte uploads pass /api/v1/upload.
4. SVG-with-script can pass the magic-byte check (consider CSP +
X-Content-Type-Options on /media/*).
Stack-internal docs live in e2e/README.md (UA tier table, Samsung
Internet escalation tiers A/B/C, debugging tips, roadmap).
Final tally: 134 passed / 0 failed / 9 skipped (test.fixme stubs for
not-yet-shipped gestures and one UI-upload-flow investigation).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
154 lines
6.2 KiB
TypeScript
154 lines
6.2 KiB
TypeScript
/**
|
|
* Phase 2 adversarial — JWT forgery, brute-force, and password attacks.
|
|
*
|
|
* The JWT secret is in docker-compose.test.yml as a fixed value — these
|
|
* tests do NOT try to forge tokens using that secret (that would only
|
|
* prove HS256 works). Instead they assert the *failure* paths: alg:none,
|
|
* tampered signature, expired sessions, wrong role.
|
|
*/
|
|
import { test, expect } from '../../fixtures/test';
|
|
|
|
const BASE = process.env.E2E_FRONTEND_URL ?? 'http://localhost:3101';
|
|
|
|
/** RFC-4648 base64url with no padding. */
|
|
function b64u(s: string) {
|
|
return Buffer.from(s).toString('base64').replace(/=+$/, '').replace(/\+/g, '-').replace(/\//g, '_');
|
|
}
|
|
|
|
test.describe('Adversarial — JWT', () => {
|
|
test('alg:none token claiming admin role is rejected', async () => {
|
|
const header = b64u(JSON.stringify({ alg: 'none', typ: 'JWT' }));
|
|
const payload = b64u(JSON.stringify({
|
|
sub: '00000000-0000-0000-0000-000000000000',
|
|
role: 'admin',
|
|
event_id: '00000000-0000-0000-0000-000000000000',
|
|
exp: Math.floor(Date.now() / 1000) + 3600,
|
|
}));
|
|
const token = `${header}.${payload}.`;
|
|
const res = await fetch(`${BASE}/api/v1/admin/config`, {
|
|
headers: { Authorization: `Bearer ${token}` },
|
|
});
|
|
expect(res.status).toBe(401);
|
|
});
|
|
|
|
test('JWT with valid structure but bogus signature is rejected', async ({ guest }) => {
|
|
const g = await guest('SigForge');
|
|
const parts = g.jwt.split('.');
|
|
// Replace the signature with random bytes of the same length.
|
|
const fakeSig = parts[2].split('').reverse().join('');
|
|
const tampered = `${parts[0]}.${parts[1]}.${fakeSig}`;
|
|
const res = await fetch(`${BASE}/api/v1/me/context`, {
|
|
headers: { Authorization: `Bearer ${tampered}` },
|
|
});
|
|
expect(res.status).toBe(401);
|
|
});
|
|
|
|
test('JWT with payload-tampered role=admin (re-encoded payload, original signature) is rejected', async ({ guest }) => {
|
|
const g = await guest('RolePromote');
|
|
const parts = g.jwt.split('.');
|
|
const original = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
|
|
const escalated = { ...original, role: 'admin' };
|
|
const newPayload = b64u(JSON.stringify(escalated));
|
|
const tampered = `${parts[0]}.${newPayload}.${parts[2]}`;
|
|
const res = await fetch(`${BASE}/api/v1/admin/config`, {
|
|
headers: { Authorization: `Bearer ${tampered}` },
|
|
});
|
|
// Signature won't match the new payload → middleware must return 401, not 403.
|
|
expect(res.status).toBe(401);
|
|
});
|
|
|
|
test('JWT for a session that was deleted (logout) is rejected', async ({ guest, api }) => {
|
|
const g = await guest('LoggedOut');
|
|
await api.logout(g.jwt);
|
|
const res = await fetch(`${BASE}/api/v1/me/context`, {
|
|
headers: { Authorization: `Bearer ${g.jwt}` },
|
|
});
|
|
expect(res.status).toBe(401);
|
|
});
|
|
|
|
test('Authorization header without "Bearer " prefix is rejected', async ({ guest }) => {
|
|
const g = await guest('NoBearer');
|
|
const res = await fetch(`${BASE}/api/v1/me/context`, {
|
|
headers: { Authorization: g.jwt },
|
|
});
|
|
expect([401, 403]).toContain(res.status);
|
|
});
|
|
|
|
test('missing Authorization header on protected route returns 401', async () => {
|
|
const res = await fetch(`${BASE}/api/v1/me/context`);
|
|
expect(res.status).toBe(401);
|
|
});
|
|
});
|
|
|
|
test.describe('Adversarial — PIN brute-force', () => {
|
|
test('sequential wrong-PIN attempts lock the account after 3 attempts', async ({ guest }) => {
|
|
const g = await guest('Brute');
|
|
const wrong = g.pin === '0000' ? '1111' : '0000';
|
|
|
|
// Do them serially so the failed_pin_attempts counter increments
|
|
// monotonically. Parallel attempts race and may never accumulate to 3 in
|
|
// the current handler implementation — that's a separate finding.
|
|
const statuses: number[] = [];
|
|
for (let i = 0; i < 4; i++) {
|
|
const r = await fetch(`${BASE}/api/v1/recover`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify({ display_name: g.displayName, pin: wrong }),
|
|
});
|
|
statuses.push(r.status);
|
|
}
|
|
// First three are 401, fourth (or later) is 429.
|
|
expect(statuses.filter((s) => s === 200)).toHaveLength(0);
|
|
expect(statuses.some((s) => s === 429)).toBe(true);
|
|
|
|
// Now even the correct PIN fails until lockout expires.
|
|
const correct = await fetch(`${BASE}/api/v1/recover`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify({ display_name: g.displayName, pin: g.pin }),
|
|
});
|
|
expect(correct.status).toBe(429);
|
|
});
|
|
|
|
test('parallel wrong-PIN attempts may NOT all hit lockout (race-condition finding)', async ({ guest }) => {
|
|
const g = await guest('BruteParallel');
|
|
const wrong = g.pin === '0000' ? '1111' : '0000';
|
|
|
|
const attempts = await Promise.all(
|
|
Array.from({ length: 10 }, () =>
|
|
fetch(`${BASE}/api/v1/recover`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify({ display_name: g.displayName, pin: wrong }),
|
|
})
|
|
)
|
|
);
|
|
const statuses = attempts.map((r) => r.status);
|
|
expect(statuses.filter((s) => s === 200)).toHaveLength(0);
|
|
// Documented behavior: lockout counter may race so not every status is 429.
|
|
// Critical invariant: no attempt succeeded.
|
|
if (!statuses.some((s) => s === 429)) {
|
|
console.warn('[finding] PIN-attempt counter races under parallel requests — none hit lockout.');
|
|
}
|
|
});
|
|
});
|
|
|
|
test.describe('Adversarial — admin password brute-force', () => {
|
|
test('repeated wrong passwords do NOT lock the admin (documented finding)', async () => {
|
|
// The admin login handler does not currently implement lockout. This test
|
|
// documents the behavior so any future change is intentional.
|
|
const attempts = await Promise.all(
|
|
Array.from({ length: 10 }, () =>
|
|
fetch(`${BASE}/api/v1/admin/login`, {
|
|
method: 'POST',
|
|
headers: { 'Content-Type': 'application/json' },
|
|
body: JSON.stringify({ password: 'wrong-' + Math.random() }),
|
|
})
|
|
)
|
|
);
|
|
const statuses = attempts.map((r) => r.status);
|
|
expect(statuses.every((s) => s === 401)).toBe(true);
|
|
console.warn('[finding] /admin/login has no rate-limit or lockout — bcrypt cost is the only defense.');
|
|
});
|
|
});
|