c7cb689984
The 0.10.0 backend endpoint had no UI caller — the audit flagged it as either-ship-a-form-or-remove-the-endpoint dead code. Shipping the form, plus the bearer-token-keeps-working regression test the audit asked for to pin the docstring contract. Backend: - New test change_password_via_bearer_leaves_bearer_working asserts that PATCH /me/password called with Authorization: Bearer wipes cookie sessions but leaves the bearer (api_token) intact and usable — matches the docstring claim that bot tokens are opt-in to revoke. Frontend: - lib/api/auth.ts: new changePassword(input) wrapping PATCH /v1/auth/me/password. Vitest covers happy 204, 401 unauthenticated (wrong current), 400 invalid_input (weak new) — same envelope parsing shape used elsewhere. - routes/settings/+page.svelte: minimal form with current / new / confirm fields, derived passwordsMatch + canSubmit guards (submit stays disabled until current is filled, new is ≥8 chars, new == confirm). Shows the API's message inline on failure. Documents the "other devices signed out, bot tokens stay" UX in a short hint. - routes/+layout.svelte: new "Settings" link in the session-aware nav (between username and Logout) for authed users only. - e2e/settings.spec.ts (5 cases): nav link reaches the form, successful change shows confirmation + clears the form, 401 surfaces inline, password mismatch keeps submit disabled, anonymous user gets a sign-in prompt instead of the form. Lockstep version bump to 0.11.0. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
110 lines
3.9 KiB
TypeScript
110 lines
3.9 KiB
TypeScript
import { test, expect, type Page } from '@playwright/test';
|
|
|
|
const userFixture = {
|
|
id: 'u1',
|
|
username: 'alice',
|
|
created_at: '2026-01-01T00:00:00Z'
|
|
};
|
|
|
|
async function stubAuthenticated(page: Page) {
|
|
await page.route('**/api/v1/auth/me', (route) =>
|
|
route.fulfill({
|
|
status: 200,
|
|
contentType: 'application/json',
|
|
body: JSON.stringify({ user: userFixture })
|
|
})
|
|
);
|
|
}
|
|
|
|
test('settings link shows for authed users and reaches the password form', async ({ page }) => {
|
|
await stubAuthenticated(page);
|
|
await page.route('**/api/v1/mangas?*', (route) =>
|
|
route.fulfill({
|
|
status: 200,
|
|
contentType: 'application/json',
|
|
body: JSON.stringify({ items: [], page: { limit: 50, offset: 0, total: 0 } })
|
|
})
|
|
);
|
|
|
|
await page.goto('/');
|
|
await expect(page.getByTestId('nav-settings')).toBeVisible();
|
|
await page.getByTestId('nav-settings').click();
|
|
await expect(page).toHaveURL(/\/settings$/);
|
|
await expect(page.getByTestId('password-form')).toBeVisible();
|
|
});
|
|
|
|
test('changing password shows success and clears the form', async ({ page }) => {
|
|
await stubAuthenticated(page);
|
|
let patchCalls = 0;
|
|
let patchBody: unknown = null;
|
|
await page.route('**/api/v1/auth/me/password', async (route) => {
|
|
patchCalls += 1;
|
|
patchBody = JSON.parse(route.request().postData() ?? '{}');
|
|
await route.fulfill({ status: 204 });
|
|
});
|
|
|
|
await page.goto('/settings');
|
|
await page.getByTestId('current-password').fill('hunter2hunter2');
|
|
await page.getByTestId('new-password').fill('freshpassfreshpass');
|
|
await page.getByTestId('confirm-password').fill('freshpassfreshpass');
|
|
await page.getByTestId('password-submit').click();
|
|
|
|
await expect(page.getByTestId('password-success')).toContainText('Password updated');
|
|
expect(patchCalls).toBe(1);
|
|
expect(patchBody).toEqual({
|
|
current_password: 'hunter2hunter2',
|
|
new_password: 'freshpassfreshpass'
|
|
});
|
|
// Form should clear after success.
|
|
await expect(page.getByTestId('current-password')).toHaveValue('');
|
|
});
|
|
|
|
test('wrong current password surfaces the 401 envelope inline', async ({ page }) => {
|
|
await stubAuthenticated(page);
|
|
await page.route('**/api/v1/auth/me/password', (route) =>
|
|
route.fulfill({
|
|
status: 401,
|
|
contentType: 'application/json',
|
|
body: JSON.stringify({
|
|
error: { code: 'unauthenticated', message: 'unauthenticated' }
|
|
})
|
|
})
|
|
);
|
|
|
|
await page.goto('/settings');
|
|
await page.getByTestId('current-password').fill('definitelyNotIt');
|
|
await page.getByTestId('new-password').fill('freshpassfreshpass');
|
|
await page.getByTestId('confirm-password').fill('freshpassfreshpass');
|
|
await page.getByTestId('password-submit').click();
|
|
|
|
await expect(page.getByTestId('password-error')).toBeVisible();
|
|
});
|
|
|
|
test('mismatched new + confirm disables the submit button', async ({ page }) => {
|
|
await stubAuthenticated(page);
|
|
|
|
await page.goto('/settings');
|
|
await page.getByTestId('current-password').fill('hunter2hunter2');
|
|
await page.getByTestId('new-password').fill('freshpassfreshpass');
|
|
await page.getByTestId('confirm-password').fill('different');
|
|
|
|
await expect(page.getByTestId('mismatch')).toBeVisible();
|
|
await expect(page.getByTestId('password-submit')).toBeDisabled();
|
|
});
|
|
|
|
test('anonymous user sees a sign-in prompt on /settings', async ({ page }) => {
|
|
await page.route('**/api/v1/auth/me', (route) =>
|
|
route.fulfill({
|
|
status: 401,
|
|
contentType: 'application/json',
|
|
body: JSON.stringify({
|
|
error: { code: 'unauthenticated', message: 'unauthenticated' }
|
|
})
|
|
})
|
|
);
|
|
|
|
await page.goto('/settings');
|
|
await expect(page.getByTestId('settings-signin')).toBeVisible();
|
|
await expect(page.getByTestId('password-form')).toHaveCount(0);
|
|
});
|