akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity

chore: git cache cleanup

Browse Source
This commit is contained in:
GitHub Actions
2026-03-04 18:34:49 +00:00
parent c32cce2a88
commit 27c252600a
2001 changed files with 683185 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

928
tests/settings/account-settings.spec.ts Normal file
View File

@@ -0,0 +1,928 @@
/**
* Account Settings E2E Tests
*
* Tests the account settings functionality including:
* - Profile management (name, email updates)
* - Certificate email configuration
* - Password change with validation
* - API key management (view, copy, regenerate)
* - Accessibility compliance
*
* @see /projects/Charon/docs/plans/phase4-settings-plan.md - Section 3.6
* @see /projects/Charon/frontend/src/pages/Account.tsx
*/
import { test, expect, loginUser, TEST_PASSWORD } from '../fixtures/auth-fixtures';
import {
waitForLoadingComplete,
waitForToast,
waitForModal,
waitForAPIResponse,
} from '../utils/wait-helpers';
import { getCertificateValidationMessage } from '../utils/ui-helpers';
test.describe('Account Settings', () => {
test.beforeEach(async ({ page, adminUser }) => {
await loginUser(page, adminUser);
await waitForLoadingComplete(page);
await page.goto('/settings/account');
await waitForLoadingComplete(page);
});
/**
* PR-3: Account Route Redirect (F8)
*
* Verifies that legacy account settings routes redirect to the
* consolidated Users page at /settings/users.
*/
test.describe('PR-3: Account Route Redirect (F8)', () => {
// Outer beforeEach already handles login. These tests re-navigate to the legacy
// routes to assert the React Router <Navigate> redirects them to /settings/users.
test('should redirect /settings/account to /settings/users', async ({ page }) => {
await page.goto('/settings/account');
await page.waitForURL(/\/settings\/users/, { timeout: 15000 });
await expect(page).toHaveURL(/\/settings\/users/);
});
test('should redirect /settings/account-management to /settings/users', async ({ page }) => {
await page.goto('/settings/account-management');
await page.waitForURL(/\/settings\/users/, { timeout: 15000 });
await expect(page).toHaveURL(/\/settings\/users/);
});
});
/**
* PR-3: Self-Service Profile via Users Page (F10)
*
* Verifies that an admin can manage their own profile (name, email,
* password, API key) through the UserDetailModal on /settings/users.
* This replaces the deleted Account.tsx page.
*/
test.describe('PR-3: Self-Service Profile via Users Page (F10)', () => {
test.beforeEach(async ({ page }) => {
// Outer beforeEach already handles login. Navigate to the users page
// and wait for the user data to fully render before each test.
await page.goto('/settings/users');
await waitForLoadingComplete(page);
// Wait for user data to load — the My Profile card's Edit User button
// only appears after the API returns the current user's profile.
await page.getByRole('button', { name: 'Edit User' }).first().waitFor({
state: 'visible',
timeout: 15000,
});
});
test('should open My Profile modal from the My Profile card', async ({ page }) => {
await test.step('Click Edit User in the My Profile card', async () => {
// The My Profile card button is the first "Edit User" button in the DOM
await page.getByRole('button', { name: 'Edit User' }).first().click();
await expect(page.getByRole('dialog')).toBeVisible();
});
await test.step('Verify dialog is labelled "My Profile"', async () => {
await expect(
page.getByRole('dialog').getByRole('heading', { name: 'My Profile' })
).toBeVisible();
});
await test.step('Verify name and email fields are editable', async () => {
const dialog = page.getByRole('dialog');
await expect(dialog.locator('input').first()).toBeVisible();
await expect(dialog.locator('input[type="email"]')).toBeVisible();
});
});
test('should display Change Password toggle in My Profile modal (self-only)', async ({ page }) => {
await page.getByRole('button', { name: 'Edit User' }).first().click();
await expect(page.getByRole('dialog')).toBeVisible();
const dialog = page.getByRole('dialog');
await expect(dialog.getByRole('button', { name: 'Change Password' })).toBeVisible();
});
test('should reveal password fields after clicking Change Password toggle', async ({ page }) => {
await page.getByRole('button', { name: 'Edit User' }).first().click();
await expect(page.getByRole('dialog')).toBeVisible();
const dialog = page.getByRole('dialog');
await test.step('Password fields are hidden before toggling', async () => {
await expect(dialog.locator('#current-password')).not.toBeVisible();
await expect(dialog.locator('#new-password')).not.toBeVisible();
});
await test.step('Click Change Password to expand the section', async () => {
await dialog.getByRole('button', { name: 'Change Password' }).click();
});
await test.step('Password fields are now visible', async () => {
await expect(dialog.locator('#current-password')).toBeVisible();
await expect(dialog.locator('#new-password')).toBeVisible();
await expect(dialog.locator('#confirm-password')).toBeVisible();
});
});
test('should display API Key section in My Profile modal (self-only)', async ({ page }) => {
await page.getByRole('button', { name: 'Edit User' }).first().click();
await expect(page.getByRole('dialog')).toBeVisible();
const dialog = page.getByRole('dialog');
await expect(dialog.getByText('API Key', { exact: true })).toBeVisible();
await expect(dialog.getByRole('button', { name: 'Regenerate API Key' })).toBeVisible();
});
test('should have accessible structure in My Profile modal', async ({ page }) => {
await page.getByRole('button', { name: 'Edit User' }).first().click();
const dialog = page.getByRole('dialog');
await expect(dialog).toBeVisible();
await test.step('Dialog has accessible heading', async () => {
await expect(dialog.getByRole('heading', { name: 'My Profile' })).toBeVisible();
});
await test.step('Close button has accessible label', async () => {
await expect(dialog.getByRole('button', { name: /close/i })).toBeVisible();
});
});
});
// These tests reference the deleted Account.tsx page (removed in PR-2b). Equivalent
// functionality is covered by the "PR-3: Self-Service Profile via Users Page (F10)" suite above.
test.describe.skip('Profile Management', () => {
/**
* Test: Profile displays correctly
* Verifies that user profile information is displayed on load.
*/
test('should display user profile', async ({ page, adminUser }) => {
await test.step('Verify profile section is visible', async () => {
const profileSection = page.locator('form').filter({
has: page.locator('#profile-name'),
});
await expect(profileSection).toBeVisible();
});
await test.step('Verify name field contains user name', async () => {
const nameInput = page.locator('#profile-name');
await expect(nameInput).toBeVisible();
const nameValue = await nameInput.inputValue();
expect(nameValue.length).toBeGreaterThan(0);
});
await test.step('Verify email field contains user email', async () => {
const emailInput = page.locator('#profile-email');
await expect(emailInput).toBeVisible();
await expect(emailInput).toHaveValue(adminUser.email);
});
});
/**
* Test: Update profile name successfully
* Verifies that the name can be updated.
*/
test('should update profile name', async ({ page }) => {
const newName = `Updated Name ${Date.now()}`;
await test.step('Update the name field', async () => {
const nameInput = page.locator('#profile-name');
await nameInput.clear();
await nameInput.fill(newName);
});
await test.step('Save profile changes', async () => {
const saveButton = page.getByRole('button', { name: /save.*profile/i });
await saveButton.click();
});
await test.step('Verify success toast', async () => {
const toast = page.getByRole('status').or(page.getByRole('alert'));
await expect(toast.filter({ hasText: /updated|saved|success/i })).toBeVisible({ timeout: 10000 });
});
await test.step('Verify name persisted after page reload', async () => {
await page.reload();
await waitForLoadingComplete(page);
const nameInput = page.locator('#profile-name');
await expect(nameInput).toHaveValue(newName);
});
});
/**
* Test: Update profile email
* Verifies that the email can be updated (triggers password confirmation).
*/
test('should update profile email', async ({ page }) => {
const newEmail = `updated-${Date.now()}@test.local`;
await test.step('Update the email field', async () => {
const emailInput = page.locator('#profile-email');
await emailInput.clear();
await emailInput.fill(newEmail);
});
await test.step('Click save to trigger password prompt', async () => {
const saveButton = page.getByRole('button', { name: /save.*profile/i });
await saveButton.click();
});
await test.step('Verify password confirmation prompt appears', async () => {
const passwordPrompt = page.locator('#confirm-current-password');
await expect(passwordPrompt).toBeVisible({ timeout: 5000 });
});
await test.step('Enter password and confirm', async () => {
await page.locator('#confirm-current-password').fill(TEST_PASSWORD);
const confirmButton = page.getByRole('button', { name: /confirm.*update/i });
await confirmButton.click();
});
await test.step('Handle email confirmation modal if present', async () => {
// The modal asks if user wants to update certificate email too
const yesButton = page.getByRole('button', { name: /yes.*update/i });
if (await yesButton.isVisible({ timeout: 3000 }).catch(() => false)) {
await yesButton.click();
}
});
await test.step('Verify success toast', async () => {
const toast = page.getByRole('status').or(page.getByRole('alert'));
await expect(toast.filter({ hasText: /updated|saved|success/i })).toBeVisible({ timeout: 10000 });
});
});
/**
* Test: Password required for email change
* Verifies that changing email requires current password.
*/
test('should require password for email change', async ({ page }) => {
const newEmail = `change-email-${Date.now()}@test.local`;
await test.step('Update the email field', async () => {
const emailInput = page.locator('#profile-email');
await emailInput.clear();
await emailInput.fill(newEmail);
});
await test.step('Click save button', async () => {
const saveButton = page.getByRole('button', { name: /save.*profile/i });
await saveButton.click();
});
await test.step('Verify password prompt modal appears', async () => {
const modal = page.locator('[class*="fixed"]').filter({
has: page.locator('#confirm-current-password'),
});
await expect(modal).toBeVisible();
const passwordInput = page.locator('#confirm-current-password');
await expect(passwordInput).toBeVisible();
await expect(passwordInput).toBeFocused();
});
});
/**
* Test: Email change confirmation dialog
* Verifies that changing email shows certificate email confirmation.
*/
test('should show email change confirmation dialog', async ({ page }) => {
const newEmail = `confirm-dialog-${Date.now()}@test.local`;
await test.step('Update the email field', async () => {
const emailInput = page.locator('#profile-email');
await emailInput.clear();
await emailInput.fill(newEmail);
});
await test.step('Submit with password', async () => {
const saveButton = page.getByRole('button', { name: /save.*profile/i });
await saveButton.click();
// Wait for password prompt and fill it
const passwordInput = page.locator('#confirm-current-password');
await expect(passwordInput).toBeVisible({ timeout: 5000 });
await passwordInput.fill(TEST_PASSWORD);
const confirmButton = page.getByRole('button', { name: /confirm.*update/i });
await confirmButton.click();
});
await test.step('Verify email confirmation modal appears', async () => {
// Modal should ask about updating certificate email - use heading role to avoid strict mode violation
const emailConfirmModal = page.getByRole('heading', { name: /update.*cert.*email|certificate.*email/i });
await expect(emailConfirmModal.first()).toBeVisible({ timeout: 5000 });
// Should have options to update or keep current
const yesButton = page.getByRole('button', { name: /yes/i });
const noButton = page.getByRole('button', { name: /no|keep/i });
await expect(yesButton.first()).toBeVisible();
await expect(noButton.first()).toBeVisible();
});
});
});
// These tests reference Certificate Email UI elements (#useUserEmail, #cert-email) from the deleted
// Account.tsx page (removed in PR-2b). Certificate email settings are not present in UsersPage.tsx.
test.describe.skip('Certificate Email', () => {
/**
* Test: Toggle use account email checkbox
* Verifies the checkbox toggles custom email field visibility.
*/
test('should toggle use account email', async ({ page }) => {
let wasInitiallyChecked = false;
await test.step('Check initial checkbox state', async () => {
const checkbox = page.locator('#useUserEmail');
await expect(checkbox).toBeVisible();
// Get current state - may be checked or unchecked depending on prior tests
wasInitiallyChecked = await checkbox.isChecked();
});
await test.step('Toggle checkbox to opposite state', async () => {
// Use getByRole for more reliable checkbox interaction with Radix UI
const checkbox = page.getByRole('checkbox', { name: /use.*account.*email|same.*email/i });
await checkbox.click({ force: true });
// Wait a moment for state to update
await page.waitForTimeout(100);
// Should now be opposite of initial
if (wasInitiallyChecked) {
await expect(checkbox).not.toBeChecked({ timeout: 5000 });
} else {
await expect(checkbox).toBeChecked({ timeout: 5000 });
}
});
await test.step('Verify custom email field visibility toggles', async () => {
const certEmailInput = page.locator('#cert-email');
// When unchecked, custom email field should be visible
if (wasInitiallyChecked) {
// We just unchecked it, so field should now be visible
await expect(certEmailInput).toBeVisible({ timeout: 5000 });
} else {
// We just checked it, so field should now be hidden
await expect(certEmailInput).not.toBeVisible({ timeout: 5000 });
}
});
await test.step('Toggle back to original state', async () => {
const checkbox = page.getByRole('checkbox', { name: /use.*account.*email|same.*email/i });
await checkbox.click({ force: true });
await page.waitForTimeout(100);
if (wasInitiallyChecked) {
await expect(checkbox).toBeChecked({ timeout: 5000 });
} else {
await expect(checkbox).not.toBeChecked({ timeout: 5000 });
}
});
});
/**
* Test: Enter custom certificate email
* Verifies custom email can be entered when account email is unchecked.
*/
test('should enter custom certificate email', async ({ page }) => {
const customEmail = `cert-${Date.now()}@custom.local`;
await test.step('Ensure use account email is unchecked', async () => {
// force: true required for Radix UI checkbox
const checkbox = page.getByRole('checkbox', { name: /use.*account.*email|same.*email/i });
// Only click if currently checked - clicking an unchecked box would check it
const isCurrentlyChecked = await checkbox.isChecked();
if (isCurrentlyChecked) {
await checkbox.click({ force: true });
await page.waitForTimeout(100);
}
await expect(checkbox).not.toBeChecked({ timeout: 5000 });
});
await test.step('Enter custom email', async () => {
const certEmailInput = page.locator('#cert-email');
await expect(certEmailInput).toBeVisible();
await certEmailInput.clear();
await certEmailInput.fill(customEmail);
await expect(certEmailInput).toHaveValue(customEmail);
});
});
/**
* Test: Validate certificate email format
* Verifies invalid email shows validation error.
*/
test('should validate certificate email format', async ({ page }) => {
// Flaky test - validation error element timing issue. Email validation logic works correctly.
await test.step('Ensure use account email is unchecked', async () => {
const checkbox = page.locator('#useUserEmail');
const isChecked = await checkbox.isChecked();
if (isChecked) {
await checkbox.click({ force: true });
}
await expect(checkbox).not.toBeChecked({ timeout: 5000 });
});
await test.step('Verify custom email field is visible', async () => {
const certEmailInput = page.locator('#cert-email');
await expect(certEmailInput).toBeVisible({ timeout: 5000 });
});
await test.step('Enter invalid email', async () => {
const certEmailInput = page.locator('#cert-email');
await certEmailInput.clear();
await certEmailInput.fill('not-a-valid-email');
});
await test.step('Verify validation error appears', async () => {
// Try multiple selectors to find validation message
const errorMessage = page.locator('#cert-email-error')
.or(page.locator('[id*="cert-email"][id*="error"]'))
.or(page.locator('text=/invalid.*email|email.*invalid/i').first());
await expect(errorMessage).toBeVisible({ timeout: 5000 });
});
await test.step('Verify save button is disabled', async () => {
const saveButton = page.getByRole('button', { name: /save.*certificate/i });
// Wait for form state to fully update before checking attributes
await page.waitForTimeout(500);
// Verify button has the correct data attributes
await expect(saveButton).toHaveAttribute('data-use-user-email', 'false', { timeout: 5000 });
await expect(saveButton).toHaveAttribute('data-cert-email-valid', /(false|null)/, { timeout: 5000 });
// Now verify the button is actually disabled
await expect(saveButton).toBeDisabled();
});
});
/**
* Test: Save certificate email successfully
* Verifies custom certificate email can be saved.
*/
test('should save certificate email', async ({ page }) => {
const customEmail = `cert-save-${Date.now()}@test.local`;
await test.step('Ensure use account email is unchecked and enter custom', async () => {
const checkbox = page.locator('#useUserEmail');
const isChecked = await checkbox.isChecked();
if (isChecked) {
await checkbox.click();
}
await expect(checkbox).not.toBeChecked();
const certEmailInput = page.locator('#cert-email');
await expect(certEmailInput).toBeVisible({ timeout: 5000 });
await certEmailInput.clear();
await certEmailInput.fill(customEmail);
});
await test.step('Save certificate email using Promise.all pattern', async () => {
const saveButton = page.getByRole('button', { name: /save.*certificate/i });
// Use Promise.all to avoid race condition between click and response
await Promise.all([
page.waitForResponse(
(resp) => resp.url().includes('/api/v1/settings') && resp.request().method() === 'POST'
),
saveButton.click(),
]);
});
await test.step('Verify success toast', async () => {
const toast = page.getByRole('status').or(page.getByRole('alert'));
await expect(toast.filter({ hasText: /updated|saved|success/i })).toBeVisible({ timeout: 10000 });
});
await test.step('Verify email persisted after reload', async () => {
await page.reload();
await waitForLoadingComplete(page);
const checkbox = page.locator('#useUserEmail');
await expect(checkbox).not.toBeChecked();
const certEmailInput = page.locator('#cert-email');
await expect(certEmailInput).toHaveValue(customEmail);
});
});
});
// These tests reference password fields (#current-password, #new-password, #confirm-password)
// from the deleted Account.tsx page. In UsersPage.tsx these fields are inside the UserDetailModal
// (only visible after clicking Edit User → Change Password). Equivalent coverage is provided by
// the 'PR-3: Self-Service Profile via Users Page (F10)' suite above.
test.describe.skip('Password Change', () => {
/**
* Test: Change password with valid inputs
* Verifies password can be changed successfully.
*
* Note: This test changes the password but the user fixture is per-test,
* so it won't affect other tests.
*/
test('should change password with valid inputs', async ({ page }) => {
const newPassword = 'NewSecurePass456!';
await test.step('Fill current password', async () => {
const currentPasswordInput = page.locator('#current-password');
await expect(currentPasswordInput).toBeVisible();
await currentPasswordInput.fill(TEST_PASSWORD);
});
await test.step('Fill new password', async () => {
const newPasswordInput = page.locator('#new-password');
await newPasswordInput.fill(newPassword);
});
await test.step('Fill confirm password', async () => {
const confirmPasswordInput = page.locator('#confirm-password');
await confirmPasswordInput.fill(newPassword);
});
await test.step('Submit password change', async () => {
const updateButton = page.getByRole('button', { name: /update.*password/i });
await updateButton.click();
});
await test.step('Verify success toast', async () => {
const toast = page.getByRole('status').or(page.getByRole('alert'));
await expect(toast.filter({ hasText: /updated|changed|success/i })).toBeVisible({ timeout: 10000 });
});
await test.step('Verify password fields are cleared', async () => {
const currentPasswordInput = page.locator('#current-password');
const newPasswordInput = page.locator('#new-password');
const confirmPasswordInput = page.locator('#confirm-password');
await expect(currentPasswordInput).toHaveValue('');
await expect(newPasswordInput).toHaveValue('');
await expect(confirmPasswordInput).toHaveValue('');
});
});
/**
* Test: Validate current password is required
* Verifies that wrong current password shows error.
*/
test('should validate current password', async ({ page }) => {
await test.step('Fill incorrect current password', async () => {
const currentPasswordInput = page.locator('#current-password');
await currentPasswordInput.fill('WrongPassword123!');
});
await test.step('Fill valid new password', async () => {
const newPasswordInput = page.locator('#new-password');
await newPasswordInput.fill('NewPass789!');
const confirmPasswordInput = page.locator('#confirm-password');
await confirmPasswordInput.fill('NewPass789!');
});
await test.step('Submit and verify error', async () => {
const updateButton = page.getByRole('button', { name: /update.*password/i });
await updateButton.click();
// Error toast uses role="alert" (with data-testid fallback)
const errorToast = page.locator('[data-testid="toast-error"]')
.or(page.getByRole('alert'))
.filter({ hasText: /incorrect|invalid|wrong|failed/i });
await expect(errorToast.first()).toBeVisible({ timeout: 10000 });
});
});
/**
* Test: Validate password strength requirements
* Verifies weak passwords are rejected.
*/
test('should validate password strength', async ({ page }) => {
await test.step('Fill current password', async () => {
const currentPasswordInput = page.locator('#current-password');
await currentPasswordInput.fill(TEST_PASSWORD);
});
await test.step('Enter weak password', async () => {
const newPasswordInput = page.locator('#new-password');
await newPasswordInput.fill('weak');
});
await test.step('Verify strength meter shows weak', async () => {
// Password strength meter component should be visible
const strengthMeter = page.locator('[class*="strength"], [data-testid*="strength"]');
if (await strengthMeter.isVisible()) {
// Look for weak/poor indicator
const weakIndicator = strengthMeter.getByText(/weak|poor|too short/i);
await expect(weakIndicator).toBeVisible().catch(() => {
// Some implementations use colors instead of text
});
}
});
});
/**
* Test: Validate password confirmation must match
* Verifies mismatched passwords show error.
*/
test('should validate password confirmation match', async ({ page }) => {
await test.step('Fill current password', async () => {
const currentPasswordInput = page.locator('#current-password');
await currentPasswordInput.fill(TEST_PASSWORD);
});
await test.step('Enter mismatched passwords', async () => {
const newPasswordInput = page.locator('#new-password');
await newPasswordInput.fill('NewPassword123!');
const confirmPasswordInput = page.locator('#confirm-password');
await confirmPasswordInput.fill('DifferentPassword456!');
});
await test.step('Verify mismatch error appears', async () => {
// Click elsewhere to trigger validation
await page.locator('body').click();
const errorMessage = page.getByText(/do.*not.*match|passwords.*match|mismatch/i);
await expect(errorMessage).toBeVisible();
});
});
/**
* Test: Password strength meter is displayed
* Verifies strength meter updates as password is typed.
* Note: Skip if password strength meter component is not implemented.
*/
test('should show password strength meter', async ({ page }) => {
await test.step('Start typing new password', async () => {
const newPasswordInput = page.locator('#new-password');
await newPasswordInput.fill('a');
});
await test.step('Verify strength meter appears or skip if not implemented', async () => {
// Look for password strength component - may not be implemented
const strengthMeter = page.locator('[class*="strength"], [class*="meter"], [data-testid*="password-strength"]');
const isVisible = await strengthMeter.isVisible({ timeout: 3000 }).catch(() => false);
if (!isVisible) {
// Password strength meter not implemented - return
return;
}
await expect(strengthMeter).toBeVisible();
});
await test.step('Verify strength updates with stronger password', async () => {
const newPasswordInput = page.locator('#new-password');
await newPasswordInput.clear();
await newPasswordInput.fill('VeryStr0ng!Pass#2024');
// Strength meter should show stronger indication
const strengthMeter = page.locator('[class*="strength"], [class*="meter"]');
if (await strengthMeter.isVisible()) {
// Check for strong/good indicator (text or aria-label)
const text = await strengthMeter.textContent();
const ariaLabel = await strengthMeter.getAttribute('aria-label');
const hasStrongIndicator =
text?.match(/strong|good|excellent/i) ||
ariaLabel?.match(/strong|good|excellent/i);
// Some implementations use colors, so we just verify the meter exists and updates
expect(text?.length || ariaLabel?.length).toBeGreaterThan(0);
}
});
});
});
// These tests reference API key elements from the deleted Account.tsx page. In UsersPage.tsx
// the API key section is inside the UserDetailModal (only visible after clicking Edit User).
// Equivalent coverage is provided by the 'PR-3: Self-Service Profile via Users Page (F10)' suite above.
test.describe.skip('API Key Management', () => {
/**
* Test: API key is displayed
* Verifies API key section shows the key value.
*/
test('should display API key', async ({ page }) => {
await test.step('Verify API key section is visible', async () => {
// Find the API Key heading (h3) which is inside the Card component
const apiKeyHeading = page.getByRole('heading', { name: /api.*key/i });
await expect(apiKeyHeading).toBeVisible();
});
await test.step('Verify API key input exists and has value', async () => {
// API key is in a readonly input with font-mono class
const apiKeyInput = page.locator('input[readonly].font-mono');
await expect(apiKeyInput).toBeVisible();
const keyValue = await apiKeyInput.inputValue();
expect(keyValue.length).toBeGreaterThan(0);
});
});
/**
* Test: Copy API key to clipboard
* Verifies copy button copies key to clipboard.
*/
test('should not expose API key copy action when key is masked', async ({ page }) => {
await test.step('Verify API key input is masked and read-only', async () => {
const apiKeyInput = page.locator('input[readonly].font-mono');
await expect(apiKeyInput).toBeVisible();
await expect(apiKeyInput).toHaveValue(/^\*+$/);
});
await test.step('Verify no copy-to-clipboard control is present in API key section', async () => {
const apiKeyCard = page.locator('h3').filter({ hasText: /api.*key/i }).locator('..').locator('..');
await expect(
apiKeyCard
.getByRole('button', { name: /copy/i })
.or(apiKeyCard.getByTitle(/copy/i))
.or(apiKeyCard.locator('button:has(svg.lucide-copy)'))
).toHaveCount(0);
});
});
/**
* Test: Regenerate API key
* Verifies API key can be regenerated.
*/
test('should regenerate API key', async ({ page }) => {
let originalKey: string;
await test.step('Get original API key', async () => {
const apiKeyInput = page
.locator('input[readonly]')
.filter({ has: page.locator('[class*="mono"]') })
.or(page.locator('input.font-mono'))
.or(page.locator('input[readonly]').last());
originalKey = await apiKeyInput.inputValue();
});
await test.step('Click regenerate button and wait for response', async () => {
const regenerateButton = page
.getByRole('button')
.filter({ has: page.locator('svg.lucide-refresh-cw') })
.or(page.getByRole('button', { name: /regenerate/i }))
.or(page.getByTitle(/regenerate/i));
// Use Promise.all to set up response listener BEFORE clicking
await Promise.all([
page.waitForResponse(
(resp) => resp.url().includes('/api/v1/user/api-key') && resp.request().method() === 'POST'
),
regenerateButton.click(),
]);
});
await test.step('Verify success toast', async () => {
const toast = page.getByRole('status').or(page.getByRole('alert'));
await expect(toast.filter({ hasText: /regenerated|generated|new.*key/i })).toBeVisible({ timeout: 10000 });
});
await test.step('Verify API key rotation succeeded without revealing raw key', async () => {
const apiKeyInput = page
.locator('input[readonly]')
.filter({ has: page.locator('[class*="mono"]') })
.or(page.locator('input.font-mono'))
.or(page.locator('input[readonly]').last());
const newKey = await apiKeyInput.inputValue();
expect(newKey).toBe('********');
expect(newKey).toBe(originalKey);
expect(newKey.length).toBeGreaterThan(0);
});
});
/**
* Test: Confirm API key regeneration
* Verifies regeneration has proper feedback.
*/
test('should confirm API key regeneration', async ({ page }) => {
await test.step('Click regenerate button', async () => {
const regenerateButton = page
.getByRole('button')
.filter({ has: page.locator('svg.lucide-refresh-cw') })
.or(page.getByRole('button', { name: /regenerate/i }))
.or(page.getByTitle(/regenerate/i));
await regenerateButton.click();
});
await test.step('Verify regeneration feedback', async () => {
// Wait for loading state on button
const regenerateButton = page
.getByRole('button')
.filter({ has: page.locator('svg.lucide-refresh-cw') })
.or(page.getByRole('button', { name: /regenerate/i }));
// Button may show loading indicator or be disabled briefly
// Then success toast should appear
const toast = page.getByRole('status').or(page.getByRole('alert'));
await expect(toast.filter({ hasText: /regenerated|generated|success/i })).toBeVisible({ timeout: 10000 });
});
});
});
// These tests reference form labels and IDs (#profile-name, #profile-email, #useUserEmail)
// from the deleted Account.tsx page (removed in PR-2b). Accessibility of the replacement UI
// is covered by the 'PR-3: Self-Service Profile via Users Page (F10)' suite above.
test.describe.skip('Accessibility', () => {
/**
* Test: Keyboard navigation through account settings
* Uses increased loop counts and waitForTimeout for CI reliability
*/
test('should be keyboard navigable', async ({ page }) => {
await test.step('Tab through profile section', async () => {
// Start from first focusable element
await page.keyboard.press('Tab');
await page.waitForTimeout(150);
// Tab to profile name
const nameInput = page.locator('#profile-name');
let foundName = false;
for (let i = 0; i < 30; i++) {
if (await nameInput.evaluate((el) => el === document.activeElement)) {
foundName = true;
break;
}
await page.keyboard.press('Tab');
await page.waitForTimeout(150);
}
expect(foundName).toBeTruthy();
});
await test.step('Tab through password section', async () => {
const currentPasswordInput = page.locator('#current-password');
let foundPassword = false;
for (let i = 0; i < 35; i++) {
if (await currentPasswordInput.evaluate((el) => el === document.activeElement)) {
foundPassword = true;
break;
}
await page.keyboard.press('Tab');
await page.waitForTimeout(150);
}
expect(foundPassword).toBeTruthy();
});
await test.step('Tab through API key section', async () => {
// Should be able to reach copy/regenerate buttons
let foundApiButton = false;
for (let i = 0; i < 10; i++) {
await page.keyboard.press('Tab');
await page.waitForTimeout(100);
const focused = page.locator(':focus');
const role = await focused.getAttribute('role').catch(() => null);
const tagName = await focused.evaluate((el) => el.tagName.toLowerCase()).catch(() => '');
if (tagName === 'button' && await focused.locator('svg.lucide-copy, svg.lucide-refresh-cw').isVisible().catch(() => false)) {
foundApiButton = true;
break;
}
}
// API key buttons should be reachable
expect(foundApiButton || true).toBeTruthy(); // Non-blocking assertion
});
});
/**
* Test: Form labels are properly associated
* Verifies all form inputs have proper labels.
*/
test('should have proper form labels', async ({ page }) => {
await test.step('Verify profile name has label', async () => {
const nameLabel = page.locator('label[for="profile-name"]');
await expect(nameLabel).toBeVisible();
});
await test.step('Verify profile email has label', async () => {
const emailLabel = page.locator('label[for="profile-email"]');
await expect(emailLabel).toBeVisible();
});
await test.step('Verify certificate email checkbox has label', async () => {
const checkboxLabel = page.locator('label[for="useUserEmail"]');
await expect(checkboxLabel).toBeVisible();
});
await test.step('Verify password fields have labels', async () => {
const currentPasswordLabel = page.locator('label[for="current-password"]');
const newPasswordLabel = page.locator('label[for="new-password"]');
const confirmPasswordLabel = page.locator('label[for="confirm-password"]');
await expect(currentPasswordLabel).toBeVisible();
await expect(newPasswordLabel).toBeVisible();
await expect(confirmPasswordLabel).toBeVisible();
});
await test.step('Verify required fields are indicated', async () => {
// Required fields should have visual indicator (asterisk or aria-required)
const requiredFields = page.locator('[aria-required="true"], label:has-text("*")');
const count = await requiredFields.count();
expect(count).toBeGreaterThan(0);
});
});
});
});

561
tests/settings/notifications-payload.spec.ts Normal file
View File

@@ -0,0 +1,561 @@
import { test, expect, loginUser } from '../fixtures/auth-fixtures';
import { request as playwrightRequest } from '@playwright/test';
import { waitForLoadingComplete } from '../utils/wait-helpers';
const SETTINGS_FLAGS_ENDPOINT = '/api/v1/settings';
const PROVIDERS_ENDPOINT = '/api/v1/notifications/providers';
function buildDiscordProviderPayload(name: string) {
return {
name,
type: 'discord',
url: 'https://discord.com/api/webhooks/123456789/testtoken',
enabled: true,
notify_proxy_hosts: true,
notify_remote_servers: false,
notify_domains: false,
notify_certs: true,
notify_uptime: false,
notify_security_waf_blocks: false,
notify_security_acl_denies: false,
notify_security_rate_limit_hits: false,
};
}
async function enableNotifyDispatchFlags(page: import('@playwright/test').Page, token: string) {
const keys = [
'feature.notifications.service.gotify.enabled',
'feature.notifications.service.webhook.enabled',
];
for (const key of keys) {
const response = await page.request.post(SETTINGS_FLAGS_ENDPOINT, {
headers: { Authorization: `Bearer ${token}` },
data: {
key,
value: 'true',
category: 'feature',
type: 'bool',
},
});
expect(response.ok()).toBeTruthy();
}
}
test.describe('Notifications Payload Matrix', () => {
test.beforeEach(async ({ page, adminUser }) => {
await loginUser(page, adminUser);
await waitForLoadingComplete(page);
await page.goto('/settings/notifications');
await waitForLoadingComplete(page);
});
test('valid payload flows for discord, gotify, and webhook', async ({ page }) => {
const createdProviders: Array<Record<string, unknown>> = [];
const capturedCreatePayloads: Array<Record<string, unknown>> = [];
await test.step('Mock providers create/list endpoints', async () => {
await page.route('**/api/v1/notifications/providers', async (route, request) => {
if (request.method() === 'GET') {
await route.fulfill({
status: 200,
contentType: 'application/json',
body: JSON.stringify(createdProviders),
});
return;
}
if (request.method() === 'POST') {
const payload = (await request.postDataJSON()) as Record<string, unknown>;
capturedCreatePayloads.push(payload);
const created = {
id: `provider-${capturedCreatePayloads.length}`,
...payload,
};
createdProviders.push(created);
await route.fulfill({
status: 201,
contentType: 'application/json',
body: JSON.stringify(created),
});
return;
}
await route.continue();
});
});
const scenarios = [
{
type: 'discord',
name: `discord-matrix-${Date.now()}`,
url: 'https://discord.com/api/webhooks/123/discordtoken',
},
{
type: 'gotify',
name: `gotify-matrix-${Date.now()}`,
url: 'https://gotify.example.com/message',
},
{
type: 'webhook',
name: `webhook-matrix-${Date.now()}`,
url: 'https://example.com/notify',
},
] as const;
for (const scenario of scenarios) {
await test.step(`Create ${scenario.type} provider and capture outgoing payload`, async () => {
await page.getByRole('button', { name: /add.*provider/i }).click();
await page.getByTestId('provider-name').fill(scenario.name);
await page.getByTestId('provider-type').selectOption(scenario.type);
await page.getByTestId('provider-url').fill(scenario.url);
if (scenario.type === 'gotify') {
await page.getByTestId('provider-gotify-token').fill(' gotify-secret-token ');
}
await page.getByTestId('provider-save-btn').click();
});
}
await test.step('Verify payload contract per provider type', async () => {
expect(capturedCreatePayloads).toHaveLength(3);
const discordPayload = capturedCreatePayloads.find((payload) => payload.type === 'discord');
expect(discordPayload).toBeTruthy();
expect(discordPayload?.token).toBeUndefined();
expect(discordPayload?.gotify_token).toBeUndefined();
const gotifyPayload = capturedCreatePayloads.find((payload) => payload.type === 'gotify');
expect(gotifyPayload).toBeTruthy();
expect(gotifyPayload?.token).toBe('gotify-secret-token');
expect(gotifyPayload?.gotify_token).toBeUndefined();
const webhookPayload = capturedCreatePayloads.find((payload) => payload.type === 'webhook');
expect(webhookPayload).toBeTruthy();
expect(webhookPayload?.token).toBeUndefined();
expect(typeof webhookPayload?.config).toBe('string');
});
});
test('malformed payload scenarios return sanitized validation errors', async ({ page, adminUser }) => {
await test.step('Malformed JSON to preview endpoint returns INVALID_REQUEST', async () => {
const response = await page.request.post('/api/v1/notifications/providers/preview', {
headers: {
'Content-Type': 'application/json',
Authorization: `Bearer ${adminUser.token}`,
},
data: '{"type":',
});
expect(response.status()).toBe(400);
const body = (await response.json()) as Record<string, unknown>;
expect(body.code).toBe('INVALID_REQUEST');
expect(body.category).toBe('validation');
});
await test.step('Malformed template content returns TEMPLATE_PREVIEW_FAILED', async () => {
const response = await page.request.post('/api/v1/notifications/providers/preview', {
headers: { Authorization: `Bearer ${adminUser.token}` },
data: {
type: 'webhook',
url: 'https://example.com/notify',
template: 'custom',
config: '{"message": {{.Message}',
},
});
expect(response.status()).toBe(400);
const body = (await response.json()) as Record<string, unknown>;
expect(body.code).toBe('TEMPLATE_PREVIEW_FAILED');
expect(body.category).toBe('validation');
});
});
test('missing required fields block submit and show validation', async ({ page }) => {
let createCalled = false;
await test.step('Prevent create call from being silently sent', async () => {
await page.route('**/api/v1/notifications/providers', async (route, request) => {
if (request.method() === 'POST') {
createCalled = true;
}
await route.continue();
});
});
await test.step('Submit empty provider form', async () => {
await page.getByRole('button', { name: /add.*provider/i }).click();
await page.getByTestId('provider-save-btn').click();
});
await test.step('Validate required field errors and no outbound create', async () => {
await expect(page.getByTestId('provider-url-error')).toBeVisible();
await expect(page.getByTestId('provider-name')).toHaveAttribute('aria-invalid', 'true');
expect(createCalled).toBeFalsy();
});
});
test('auth/header behavior checks for protected settings endpoint', async ({ page, adminUser }) => {
const providerName = `auth-check-${Date.now()}`;
let providerID = '';
await test.step('Protected settings write rejects invalid bearer token', async () => {
const unauthenticatedRequest = await playwrightRequest.newContext({
baseURL: process.env.PLAYWRIGHT_BASE_URL || 'http://127.0.0.1:8080',
});
try {
const noAuthResponse = await unauthenticatedRequest.post(SETTINGS_FLAGS_ENDPOINT, {
headers: { Authorization: 'Bearer invalid-token' },
data: {
key: 'feature.notifications.service.webhook.enabled',
value: 'true',
category: 'feature',
type: 'bool',
},
});
expect([401, 403]).toContain(noAuthResponse.status());
} finally {
await unauthenticatedRequest.dispose();
}
});
await test.step('Create provider with bearer token succeeds', async () => {
const authResponse = await page.request.post(PROVIDERS_ENDPOINT, {
headers: { Authorization: `Bearer ${adminUser.token}` },
data: buildDiscordProviderPayload(providerName),
});
expect(authResponse.status()).toBe(201);
const created = (await authResponse.json()) as Record<string, unknown>;
providerID = String(created.id ?? '');
expect(providerID.length).toBeGreaterThan(0);
});
await test.step('Cleanup created provider', async () => {
const deleteResponse = await page.request.delete(`${PROVIDERS_ENDPOINT}/${providerID}`, {
headers: { Authorization: `Bearer ${adminUser.token}` },
});
expect(deleteResponse.ok()).toBeTruthy();
});
});
test('provider-specific transformation strips gotify token from test and preview payloads', async ({ page }) => {
let capturedPreviewPayload: Record<string, unknown> | null = null;
let capturedTestPayload: Record<string, unknown> | null = null;
await test.step('Mock preview and test endpoints to capture payloads', async () => {
await page.route('**/api/v1/notifications/providers/preview', async (route, request) => {
capturedPreviewPayload = (await request.postDataJSON()) as Record<string, unknown>;
await route.fulfill({
status: 200,
contentType: 'application/json',
body: JSON.stringify({ rendered: '{"ok":true}', parsed: { ok: true } }),
});
});
await page.route('**/api/v1/notifications/providers/test', async (route, request) => {
capturedTestPayload = (await request.postDataJSON()) as Record<string, unknown>;
await route.fulfill({
status: 200,
contentType: 'application/json',
body: JSON.stringify({ message: 'Test notification sent' }),
});
});
});
await test.step('Fill gotify form with write-only token', async () => {
await page.getByRole('button', { name: /add.*provider/i }).click();
await page.getByTestId('provider-type').selectOption('gotify');
await page.getByTestId('provider-name').fill(`gotify-transform-${Date.now()}`);
await page.getByTestId('provider-url').fill('https://gotify.example.com/message');
await page.getByTestId('provider-gotify-token').fill('super-secret-token');
});
await test.step('Trigger preview and test calls', async () => {
await page.getByTestId('provider-preview-btn').click();
await page.getByTestId('provider-test-btn').click();
});
await test.step('Assert token is not sent on preview/test payloads', async () => {
expect(capturedPreviewPayload).toBeTruthy();
expect(capturedPreviewPayload?.type).toBe('gotify');
expect(capturedPreviewPayload?.token).toBeUndefined();
expect(capturedPreviewPayload?.gotify_token).toBeUndefined();
expect(capturedTestPayload).toBeTruthy();
expect(capturedTestPayload?.type).toBe('gotify');
expect(capturedTestPayload?.token).toBeUndefined();
expect(capturedTestPayload?.gotify_token).toBeUndefined();
});
});
test('security: SSRF redirect/internal target, query-token, and oversized payload are blocked', async ({ page, adminUser }) => {
await test.step('Enable gotify and webhook dispatch feature flags', async () => {
await enableNotifyDispatchFlags(page, adminUser.token);
});
await test.step('Untrusted redirect/internal SSRF-style payload is rejected before dispatch', async () => {
const response = await page.request.post('/api/v1/notifications/providers/test', {
headers: { Authorization: `Bearer ${adminUser.token}` },
data: {
type: 'webhook',
name: 'ssrf-test',
url: 'https://127.0.0.1/internal',
template: 'custom',
config: '{"message":"{{.Message}}"}',
},
});
expect(response.status()).toBe(400);
const body = (await response.json()) as Record<string, unknown>;
expect(body.code).toBe('MISSING_PROVIDER_ID');
expect(body.category).toBe('validation');
expect(String(body.error ?? '')).not.toContain('127.0.0.1');
});
await test.step('Gotify query-token URL is rejected with sanitized error', async () => {
const queryToken = 's3cr3t-query-token';
const response = await page.request.post('/api/v1/notifications/providers/test', {
headers: { Authorization: `Bearer ${adminUser.token}` },
data: {
type: 'gotify',
name: 'query-token-test',
url: `https://gotify.example.com/message?token=${queryToken}`,
template: 'custom',
config: '{"message":"{{.Message}}"}',
},
});
expect(response.status()).toBe(400);
const body = (await response.json()) as Record<string, unknown>;
expect(body.code).toBe('MISSING_PROVIDER_ID');
expect(body.category).toBe('validation');
const responseText = JSON.stringify(body);
expect(responseText).not.toContain(queryToken);
expect(responseText.toLowerCase()).not.toContain('token=');
});
await test.step('Oversized payload/template is rejected', async () => {
const oversizedTemplate = `{"message":"${'x'.repeat(12_500)}"}`;
const response = await page.request.post('/api/v1/notifications/providers/test', {
headers: { Authorization: `Bearer ${adminUser.token}` },
data: {
type: 'webhook',
name: 'oversized-template-test',
url: 'https://example.com/webhook',
template: 'custom',
config: oversizedTemplate,
},
});
expect(response.status()).toBe(400);
const body = (await response.json()) as Record<string, unknown>;
expect(body.code).toBe('MISSING_PROVIDER_ID');
expect(body.category).toBe('validation');
});
});
test('security: DNS-rebinding-observable hostname path is blocked with sanitized response', async ({ page, adminUser }) => {
await test.step('Enable gotify and webhook dispatch feature flags', async () => {
await enableNotifyDispatchFlags(page, adminUser.token);
});
await test.step('Untrusted hostname payload is blocked before dispatch (rebinding guard path)', async () => {
const blockedHostname = 'rebind-check.127.0.0.1.nip.io';
const response = await page.request.post('/api/v1/notifications/providers/test', {
headers: { Authorization: `Bearer ${adminUser.token}` },
data: {
type: 'webhook',
name: 'dns-rebinding-observable',
url: `https://${blockedHostname}/notify`,
template: 'custom',
config: '{"message":"{{.Message}}"}',
},
});
expect(response.status()).toBe(400);
const body = (await response.json()) as Record<string, unknown>;
expect(body.code).toBe('MISSING_PROVIDER_ID');
expect(body.category).toBe('validation');
const responseText = JSON.stringify(body);
expect(responseText).not.toContain(blockedHostname);
expect(responseText).not.toContain('127.0.0.1');
});
});
test('security: retry split distinguishes retryable and non-retryable failures with deterministic response semantics', async ({ page }) => {
const capturedTestPayloads: Array<Record<string, unknown>> = [];
let nonRetryableBody: Record<string, unknown> | null = null;
let retryableBody: Record<string, unknown> | null = null;
await test.step('Stub provider test endpoint with deterministic retry split contract', async () => {
await page.route('**/api/v1/notifications/providers/test', async (route, request) => {
const payload = (await request.postDataJSON()) as Record<string, unknown>;
capturedTestPayloads.push(payload);
const scenarioName = String(payload.name ?? '');
const isRetryable = scenarioName.includes('retryable') && !scenarioName.includes('non-retryable');
const requestID = isRetryable ? 'stub-request-retryable' : 'stub-request-non-retryable';
await route.fulfill({
status: 400,
contentType: 'application/json',
body: JSON.stringify({
code: 'PROVIDER_TEST_FAILED',
category: 'dispatch',
error: 'Provider test failed',
request_id: requestID,
retryable: isRetryable,
}),
});
});
});
await test.step('Open provider form and execute deterministic non-retryable test call', async () => {
await page.getByRole('button', { name: /add.*provider/i }).click();
await page.getByTestId('provider-type').selectOption('webhook');
await page.getByTestId('provider-name').fill('retry-split-non-retryable');
await page.getByTestId('provider-url').fill('https://non-retryable.example.invalid/notify');
const nonRetryableResponsePromise = page.waitForResponse(
(response) =>
/\/api\/v1\/notifications\/providers\/test$/.test(response.url())
&& response.request().method() === 'POST'
&& (response.request().postData() ?? '').includes('retry-split-non-retryable')
);
await page.getByTestId('provider-test-btn').click();
const nonRetryableResponse = await nonRetryableResponsePromise;
nonRetryableBody = (await nonRetryableResponse.json()) as Record<string, unknown>;
expect(nonRetryableResponse.status()).toBe(400);
expect(nonRetryableBody.code).toBe('PROVIDER_TEST_FAILED');
expect(nonRetryableBody.category).toBe('dispatch');
expect(nonRetryableBody.error).toBe('Provider test failed');
expect(nonRetryableBody.retryable).toBe(false);
expect(nonRetryableBody.request_id).toBe('stub-request-non-retryable');
});
await test.step('Execute deterministic retryable test call on the same contract endpoint', async () => {
await page.getByTestId('provider-name').fill('retry-split-retryable');
await page.getByTestId('provider-url').fill('https://retryable.example.invalid/notify');
const retryableResponsePromise = page.waitForResponse(
(response) =>
/\/api\/v1\/notifications\/providers\/test$/.test(response.url())
&& response.request().method() === 'POST'
&& (response.request().postData() ?? '').includes('retry-split-retryable')
);
await page.getByTestId('provider-test-btn').click();
const retryableResponse = await retryableResponsePromise;
retryableBody = (await retryableResponse.json()) as Record<string, unknown>;
expect(retryableResponse.status()).toBe(400);
expect(retryableBody.code).toBe('PROVIDER_TEST_FAILED');
expect(retryableBody.category).toBe('dispatch');
expect(retryableBody.error).toBe('Provider test failed');
expect(retryableBody.retryable).toBe(true);
expect(retryableBody.request_id).toBe('stub-request-retryable');
});
await test.step('Assert stable split distinction and sanitized API contract shape', async () => {
expect(capturedTestPayloads).toHaveLength(2);
expect(capturedTestPayloads[0]?.name).toBe('retry-split-non-retryable');
expect(capturedTestPayloads[1]?.name).toBe('retry-split-retryable');
expect(nonRetryableBody).toMatchObject({
code: 'PROVIDER_TEST_FAILED',
category: 'dispatch',
error: 'Provider test failed',
retryable: false,
});
expect(retryableBody).toMatchObject({
code: 'PROVIDER_TEST_FAILED',
category: 'dispatch',
error: 'Provider test failed',
retryable: true,
});
test.info().annotations.push({
type: 'retry-split-semantics',
description: 'non-retryable and retryable contracts are validated via deterministic route-stubbed /providers/test responses',
});
});
});
test('security: token does not leak in list and visible edit surfaces', async ({ page, adminUser }) => {
const name = `gotify-redaction-${Date.now()}`;
let providerID = '';
await test.step('Create gotify provider with token on write path', async () => {
const createResponse = await page.request.post(PROVIDERS_ENDPOINT, {
headers: { Authorization: `Bearer ${adminUser.token}` },
data: {
...buildDiscordProviderPayload(name),
type: 'gotify',
url: 'https://gotify.example.com/message',
token: 'write-only-secret-token',
config: '{"message":"{{.Message}}"}',
},
});
expect(createResponse.status()).toBe(201);
const created = (await createResponse.json()) as Record<string, unknown>;
providerID = String(created.id ?? '');
expect(providerID.length).toBeGreaterThan(0);
});
await test.step('List providers does not expose token fields', async () => {
const listResponse = await page.request.get(PROVIDERS_ENDPOINT, {
headers: { Authorization: `Bearer ${adminUser.token}` },
});
expect(listResponse.ok()).toBeTruthy();
const providers = (await listResponse.json()) as Array<Record<string, unknown>>;
const gotify = providers.find((provider) => provider.id === providerID);
expect(gotify).toBeTruthy();
expect(gotify?.token).toBeUndefined();
expect(gotify?.gotify_token).toBeUndefined();
});
await test.step('Edit form does not pre-fill token in visible surface', async () => {
await page.reload();
await waitForLoadingComplete(page);
const row = page.getByTestId(`provider-row-${providerID}`);
await expect(row).toBeVisible({ timeout: 10000 });
const testButton = row.getByRole('button', { name: /send test notification/i });
await expect(testButton).toBeVisible();
await testButton.focus();
await page.keyboard.press('Tab');
await page.keyboard.press('Enter');
const tokenInput = page.getByTestId('provider-gotify-token');
await expect(tokenInput).toBeVisible();
await expect(tokenInput).toHaveValue('');
const pageText = await page.locator('main').innerText();
expect(pageText).not.toContain('write-only-secret-token');
});
await test.step('Cleanup created provider', async () => {
const deleteResponse = await page.request.delete(`${PROVIDERS_ENDPOINT}/${providerID}`, {
headers: { Authorization: `Bearer ${adminUser.token}` },
});
expect(deleteResponse.ok()).toBeTruthy();
});
});
});

1750
tests/settings/notifications.spec.ts Normal file
View File

File diff suppressed because it is too large Load Diff

1004
tests/settings/smtp-settings.spec.ts Normal file
View File

File diff suppressed because it is too large Load Diff

875
tests/settings/user-lifecycle.spec.ts Normal file
View File

@@ -0,0 +1,875 @@
import { test, expect, loginUser, logoutUser, TEST_PASSWORD } from '../fixtures/auth-fixtures';
import { waitForLoadingComplete } from '../utils/wait-helpers';
async function resetSecurityState(page: import('@playwright/test').Page): Promise<void> {
const emergencyToken = process.env.CHARON_EMERGENCY_TOKEN;
if (!emergencyToken) {
return;
}
const baseURL = process.env.PLAYWRIGHT_BASE_URL || 'http://127.0.0.1:8080';
const emergencyBase = process.env.EMERGENCY_SERVER_HOST || baseURL.replace(':8080', ':2020');
const username = process.env.CHARON_EMERGENCY_USERNAME || 'admin';
const password = process.env.CHARON_EMERGENCY_PASSWORD || 'changeme';
const basicAuth = `Basic ${Buffer.from(`${username}:${password}`).toString('base64')}`;
const response = await page.request.post(`${emergencyBase}/emergency/security-reset`, {
headers: {
Authorization: basicAuth,
'X-Emergency-Token': emergencyToken,
'Content-Type': 'application/json',
},
data: { reason: 'user-lifecycle deterministic setup' },
});
if (response.ok()) {
return;
}
const fallbackResponse = await page.request.post('/api/v1/emergency/security-reset', {
headers: {
'X-Emergency-Token': emergencyToken,
'Content-Type': 'application/json',
},
data: { reason: 'user-lifecycle deterministic setup (fallback)' },
});
expect(fallbackResponse.ok()).toBe(true);
}
async function getAuthToken(page: import('@playwright/test').Page): Promise<string> {
const token = await page.evaluate(() => {
const authRaw = localStorage.getItem('auth');
if (authRaw) {
try {
const parsed = JSON.parse(authRaw) as { token?: string };
if (parsed?.token) {
return parsed.token;
}
} catch {
}
}
return (
localStorage.getItem('token') ||
localStorage.getItem('charon_auth_token') ||
''
);
});
expect(token).toBeTruthy();
return token;
}
function buildAuthHeaders(token: string): Record<string, string> | undefined {
return token ? { Authorization: `Bearer ${token}` } : undefined;
}
function uniqueSuffix(): string {
return `${Date.now()}-${Math.floor(Math.random() * 10000)}`;
}
function parseAuditDetails(details: unknown): Record<string, unknown> {
if (!details) {
return {};
}
if (typeof details === 'string') {
try {
const parsed = JSON.parse(details);
return parsed && typeof parsed === 'object' ? parsed as Record<string, unknown> : {};
} catch {
return {};
}
}
return typeof details === 'object' ? details as Record<string, unknown> : {};
}
async function getAuditLogEntries(
page: import('@playwright/test').Page,
token: string,
options: {
action?: string;
eventCategory?: string;
limit?: number;
maxPages?: number;
} = {}
): Promise<any[]> {
const limit = options.limit ?? 100;
const maxPages = options.maxPages ?? 5;
const action = options.action;
const eventCategory = options.eventCategory;
const allEntries: any[] = [];
for (let currentPage = 1; currentPage <= maxPages; currentPage += 1) {
const params = new URLSearchParams({
page: String(currentPage),
limit: String(limit),
});
if (action) {
params.set('action', action);
}
if (eventCategory) {
params.set('event_category', eventCategory);
}
const auditResponse = await page.request.get(`/api/v1/audit-logs?${params.toString()}`, {
headers: buildAuthHeaders(token),
});
expect(auditResponse.ok()).toBe(true);
const auditBody = await auditResponse.json();
expect(auditBody).toEqual(expect.objectContaining({
audit_logs: expect.any(Array),
pagination: expect.any(Object),
}));
allEntries.push(...auditBody.audit_logs);
const totalPages = Number(auditBody?.pagination?.total_pages || currentPage);
if (currentPage >= totalPages) {
break;
}
}
return allEntries;
}
function findLifecycleEntry(
auditEntries: any[],
email: string,
action: 'user_create' | 'user_update' | 'user_delete' | 'user_invite' | 'user_invite_accept'
): any | undefined {
return auditEntries.find((entry: any) => {
if (entry?.event_category !== 'user' || entry?.action !== action) {
return false;
}
const details = parseAuditDetails(entry?.details);
const detailEmail =
details?.target_email ||
details?.email ||
details?.user_email;
if (detailEmail === email) {
return true;
}
return JSON.stringify(entry).includes(email);
});
}
async function createUserViaApi(
page: import('@playwright/test').Page,
user: { email: string; name: string; password: string; role: 'admin' | 'user' | 'guest' }
): Promise<{ id: string | number; email: string }> {
const token = await getAuthToken(page);
const response = await page.request.post('/api/v1/users', {
data: user,
headers: buildAuthHeaders(token),
});
expect(response.ok()).toBe(true);
const payload = await response.json();
expect(payload).toEqual(expect.objectContaining({
id: expect.anything(),
email: user.email,
}));
return { id: payload.id, email: payload.email };
}
async function navigateToLogin(page: import('@playwright/test').Page): Promise<void> {
try {
await page.goto('/login', { waitUntil: 'domcontentloaded' });
} catch (error) {
if (
!(error instanceof Error) ||
(!error.message.includes('interrupted by another navigation') && !error.message.includes('net::ERR_ABORTED'))
) {
throw error;
}
}
await page.waitForURL(/\/login/, { timeout: 15000 }).catch(() => undefined);
const emailInput = page.locator('input[type="email"]').or(page.getByLabel(/email/i)).first();
if (!(await emailInput.isVisible().catch(() => false))) {
await page.context().clearCookies();
await page.evaluate(() => {
localStorage.clear();
sessionStorage.clear();
});
await page.goto('/login', { waitUntil: 'domcontentloaded' });
}
await expect(emailInput).toBeVisible({ timeout: 15000 });
}
async function loginWithCredentials(
page: import('@playwright/test').Page,
email: string,
password: string
): Promise<void> {
const emailInput = page.locator('input[type="email"]').or(page.getByLabel(/email/i)).first();
const passwordInput = page.locator('input[type="password"]').or(page.getByLabel(/password/i)).first();
const hasEmailInput = await emailInput.isVisible().catch(() => false);
if (!hasEmailInput) {
await navigateToLogin(page);
}
await expect(emailInput).toBeVisible({ timeout: 15000 });
await expect(passwordInput).toBeVisible({ timeout: 15000 });
await emailInput.fill(email);
await passwordInput.fill(password);
const maxAttempts = 3;
for (let attempt = 1; attempt <= maxAttempts; attempt += 1) {
const loginResponse = page.waitForResponse(
(response) => response.url().includes('/api/v1/auth/login') && response.request().method() === 'POST',
{ timeout: 15000 }
);
await page.getByRole('button', { name: /login|sign in/i }).first().click();
const response = await loginResponse;
if (response.ok()) {
await waitForLoadingComplete(page, { timeout: 15000 });
return;
}
if (response.status() === 429 && attempt < maxAttempts) {
continue;
}
const bodyText = await response.text().catch(() => '');
throw new Error(`Login failed: ${response.status()} ${bodyText}`);
}
}
async function loginWithCredentialsExpectFailure(
page: import('@playwright/test').Page,
email: string,
password: string
): Promise<void> {
const emailInput = page.locator('input[type="email"]').or(page.getByLabel(/email/i)).first();
const passwordInput = page.locator('input[type="password"]').or(page.getByLabel(/password/i)).first();
if (!(await emailInput.isVisible().catch(() => false))) {
await navigateToLogin(page);
}
await expect(emailInput).toBeVisible({ timeout: 15000 });
await expect(passwordInput).toBeVisible({ timeout: 15000 });
await emailInput.fill(email);
await passwordInput.fill(password);
const loginResponse = page.waitForResponse(
(response) => response.url().includes('/api/v1/auth/login') && response.request().method() === 'POST',
{ timeout: 15000 }
);
await page.getByRole('button', { name: /login|sign in/i }).first().click();
const response = await loginResponse;
expect(response.ok()).toBe(false);
expect([400, 401, 403]).toContain(response.status());
await expect(page).toHaveURL(/login/);
}
/**
* Integration: Admin → User E2E Workflow
*
* Purpose: Validate complete workflows from admin creation through user access
* Scenarios: User creation, role assignment, login, resource access
* Success: Users can login and access appropriate resources based on role
*/
test.describe('Admin-User E2E Workflow', () => {
let adminEmail = '';
let testUser = {
email: '',
name: 'E2E Test User',
password: 'E2EUserPass123!',
};
test.beforeEach(async ({ page, adminUser }) => {
const suffix = uniqueSuffix();
testUser = {
email: `e2euser-${suffix}@test.local`,
name: `E2E Test User ${suffix}`,
password: 'E2EUserPass123!',
};
await resetSecurityState(page);
adminEmail = adminUser.email;
await loginUser(page, adminUser);
await waitForLoadingComplete(page, { timeout: 15000 });
});
// Full user creation → role assignment → user login → resource access
test('Complete user lifecycle: creation to resource access', async ({ page }) => {
let createdUserId: string | number;
await test.step('STEP 1: Admin creates new user', async () => {
const start = Date.now();
const createdUser = await createUserViaApi(page, { ...testUser, role: 'user' });
createdUserId = createdUser.id;
await page.goto('/users', { waitUntil: 'domcontentloaded' });
await waitForLoadingComplete(page, { timeout: 15000 });
await expect(page.getByText(testUser.email).first()).toBeVisible({ timeout: 15000 });
const duration = Date.now() - start;
console.log(`✓ User created in ${duration}ms`);
expect(duration).toBeLessThan(5000);
});
await test.step('STEP 2: Update user record (triggers user_update audit event)', async () => {
// Sending { role: 'user' } would be a no-op (user was already created with role:'user')
// and the backend only writes the audit log when at least one field actually changes.
// Update the name instead to guarantee a real write and a user_update audit entry.
const token = await getAuthToken(page);
const updateRoleResponse = await page.request.put(`/api/v1/users/${createdUserId}`, {
data: { name: `${testUser.name} (updated)` },
headers: buildAuthHeaders(token),
});
expect(updateRoleResponse.ok()).toBe(true);
const updateBody = await updateRoleResponse.json();
expect(updateBody).toEqual(expect.objectContaining({
message: expect.stringMatching(/updated/i),
}));
});
await test.step('STEP 3: Admin logs out', async () => {
const profileMenu = page.locator('[data-testid="user-menu"], [class*="profile"]').first();
if (await profileMenu.isVisible()) {
await profileMenu.click();
}
const logoutButton = page.getByRole('button', { name: /logout/i }).first();
await logoutButton.click();
await page.waitForURL(/login/, { timeout: 5000 });
});
await test.step('STEP 4: New user logs in', async () => {
const start = Date.now();
await loginWithCredentials(page, testUser.email, testUser.password);
const duration = Date.now() - start;
console.log(`✓ User logged in in ${duration}ms`);
expect(duration).toBeLessThan(15000);
});
await test.step('STEP 5: User sees restricted dashboard', async () => {
const dashboard = page.getByRole('main').first();
await expect(dashboard).toBeVisible();
// User role should see limited menu items
const userMenu = page.locator('nav, [role="navigation"]').first();
if (await userMenu.isVisible()) {
const menuItems = userMenu.locator('a, button, [role="link"], [role="button"]');
await expect.poll(async () => menuItems.count(), {
timeout: 15000,
message: 'Expected restricted user navigation to render at least one actionable menu item',
}).toBeGreaterThan(0);
}
});
await test.step('STEP 6: User cannot access user management', async () => {
await page.goto('/users', { waitUntil: 'commit', timeout: 15000 }).catch((error: unknown) => {
if (!(error instanceof Error)) {
throw error;
}
const isExpectedNavigationRace =
error.message.includes('Timeout') ||
error.message.includes('interrupted by another navigation') ||
error.message.includes('net::ERR_ABORTED');
if (!isExpectedNavigationRace) {
throw error;
}
});
await expect.poll(async () => {
const currentUrl = page.url();
const isUsersPage = /\/users(?:$|[?#])/.test(new URL(currentUrl).pathname + new URL(currentUrl).search + new URL(currentUrl).hash);
const hasUsersHeading = await page
.getByRole('heading', { name: /users/i })
.first()
.isVisible()
.catch(() => false);
const hasAccessDenied = await page
.getByText(/access.*denied|forbidden|not allowed|admin access required/i)
.first()
.isVisible()
.catch(() => false);
return !isUsersPage || hasAccessDenied || !hasUsersHeading;
}, {
timeout: 15000,
message: 'Expected regular user to be redirected or denied when accessing /users',
}).toBe(true);
});
await test.step('STEP 7: Audit trail records all actions', async () => {
// Logout user
const logoutButton = page.getByRole('button', { name: /logout/i }).first();
if (await logoutButton.isVisible()) {
await logoutButton.click();
}
// Login as admin
await navigateToLogin(page);
await loginWithCredentials(page, adminEmail, TEST_PASSWORD);
const token = await getAuthToken(page);
// STEP 1 logs user_create; STEP 2 (PUT /users/:id with role:'user') logs user_update.
// Both events must be present.
await expect.poll(async () => {
const auditEntries = await getAuditLogEntries(page, token, {
limit: 100,
maxPages: 8,
});
const createEntry = findLifecycleEntry(auditEntries, testUser.email, 'user_create');
const updateEntry = findLifecycleEntry(auditEntries, testUser.email, 'user_update');
return Number(Boolean(createEntry)) + Number(Boolean(updateEntry));
}, {
timeout: 30000,
message: `Expected both user_create and user_update audit entries for ${testUser.email}`,
}).toBe(2);
});
});
// Admin modifies role → user gains new permissions immediately
test('Role change takes effect immediately on user refresh', async ({ page }) => {
let createdUserId: string | number;
await test.step('Create test user with default role', async () => {
const createdUser = await createUserViaApi(page, { ...testUser, role: 'user' });
createdUserId = createdUser.id;
});
await test.step('User logs in and notes current permissions', async () => {
const logoutButton = page.getByRole('button', { name: /logout/i }).first();
await logoutButton.click();
await page.waitForURL(/login/);
await loginWithCredentials(page, testUser.email, testUser.password);
});
await test.step('Admin upgrades user role (in parallel)', async () => {
await navigateToLogin(page);
await loginWithCredentials(page, adminEmail, TEST_PASSWORD);
const token = await getAuthToken(page);
const updateRoleResponse = await page.request.put(`/api/v1/users/${createdUserId}`, {
data: { role: 'admin' },
headers: buildAuthHeaders(token),
});
expect(updateRoleResponse.ok()).toBe(true);
});
await test.step('User refreshes page and sees new permissions', async () => {
await navigateToLogin(page);
await loginWithCredentials(page, testUser.email, testUser.password);
const token = await getAuthToken(page);
const usersAccessResponse = await page.request.get('/api/v1/users', {
headers: buildAuthHeaders(token),
});
expect(usersAccessResponse.status()).toBe(200);
await page.goto('/users', { waitUntil: 'domcontentloaded' });
await waitForLoadingComplete(page, { timeout: 15000 });
await page.reload({ waitUntil: 'domcontentloaded' });
await waitForLoadingComplete(page, { timeout: 15000 });
const usersAccessAfterReload = await page.request.get('/api/v1/users', {
headers: buildAuthHeaders(token),
});
expect(usersAccessAfterReload.status()).toBe(200);
});
});
// Admin deletes user → user login fails
test('Deleted user cannot login', async ({ page }) => {
const suffix = uniqueSuffix();
const deletableUser = {
email: `deleteme-${suffix}@test.local`,
name: `Delete Test User ${suffix}`,
password: 'DeletePass123!',
};
let createdUserId: string | number;
await test.step('Create user to delete', async () => {
const createdUser = await createUserViaApi(page, { ...deletableUser, role: 'user' });
createdUserId = createdUser.id;
});
await test.step('Admin deletes user', async () => {
const token = await getAuthToken(page);
const deleteResponse = await page.request.delete(`/api/v1/users/${createdUserId}`, {
headers: buildAuthHeaders(token),
});
expect(deleteResponse.ok()).toBe(true);
});
await test.step('Deleted user attempts login', async () => {
const logoutButton = page.getByRole('button', { name: /logout/i }).first();
if (await logoutButton.isVisible()) {
await logoutButton.click();
await page.waitForURL(/login/);
}
await loginWithCredentialsExpectFailure(page, deletableUser.email, deletableUser.password);
});
await test.step('Verify login failed with appropriate error', async () => {
const errorMessage = page.getByText(/invalid|failed|incorrect|unauthorized/i).first();
await expect(errorMessage).toBeVisible({ timeout: 15000 });
});
});
// Audit log records entire workflow
test('Audit log records user lifecycle events', async ({ page }) => {
let createdUserEmail = '';
await test.step('Perform workflow actions', async () => {
const createdUser = await createUserViaApi(page, { ...testUser, role: 'user' });
createdUserEmail = createdUser.email;
});
await test.step('Check audit trail for user creation event', async () => {
const token = await getAuthToken(page);
await expect.poll(async () => {
const auditEntries = await getAuditLogEntries(page, token, {
limit: 100,
maxPages: 8,
});
return Boolean(findLifecycleEntry(auditEntries, createdUserEmail, 'user_create'));
}, {
timeout: 30000,
message: `Expected user_create audit entry for ${createdUserEmail}`,
}).toBe(true);
});
await test.step('Verify audit entry shows user details', async () => {
const token = await getAuthToken(page);
const auditEntries = await getAuditLogEntries(page, token, {
limit: 100,
maxPages: 8,
});
const creationEntry = findLifecycleEntry(auditEntries, createdUserEmail, 'user_create');
expect(creationEntry).toBeTruthy();
const details = parseAuditDetails(creationEntry?.details);
expect(details).toEqual(expect.objectContaining({
target_email: createdUserEmail,
}));
});
});
// User cannot escalate own role
test('User cannot promote self to admin', async ({ page }) => {
await test.step('Create test user', async () => {
await createUserViaApi(page, { ...testUser, role: 'user' });
});
await test.step('User attempts to modify own role', async () => {
// Logout admin
const logoutButton = page.getByRole('button', { name: /logout/i }).first();
await logoutButton.click();
await page.waitForURL(/login/);
// Login as user
await loginWithCredentials(page, testUser.email, testUser.password);
// Try to access user management
await page.goto('/users', { waitUntil: 'domcontentloaded' });
});
await test.step('Verify user cannot access user management', async () => {
// Should not see users list or get 403
const usersList = page.locator('[data-testid="user-list"]').first();
const errorPage = page.getByText(/access.*denied|forbidden|not allowed/i).first();
const isBlocked =
!(await usersList.isVisible()) ||
(await errorPage.isVisible());
expect(isBlocked).toBe(true);
});
});
// Multiple users isolated data
test('Users see only their own data', async ({ page }) => {
const suffix1 = uniqueSuffix();
const user1 = {
email: `user1-${suffix1}@test.local`,
name: 'User 1',
password: 'User1Pass123!',
};
const suffix2 = uniqueSuffix();
const user2 = {
email: `user2-${suffix2}@test.local`,
name: 'User 2',
password: 'User2Pass123!',
};
await test.step('Create first user', async () => {
await createUserViaApi(page, { ...user1, role: 'user' });
});
await test.step('Create second user', async () => {
await createUserViaApi(page, { ...user2, role: 'user' });
});
await test.step('User1 logs in and verifies data isolation', async () => {
const logoutButton = page.getByRole('button', { name: /logout/i }).first();
await logoutButton.click();
await page.waitForURL(/login/);
await loginWithCredentials(page, user1.email, user1.password);
// User1 should see their profile but not User2's
const user1Profile = page.getByText(user1.name).first();
if (await user1Profile.isVisible()) {
await expect(user1Profile).toBeVisible();
}
});
});
// User logout → login as different user → resources isolated
test('Session isolation after logout and re-login', async ({ page }) => {
let firstSessionToken = '';
await test.step('Create secondary user for session switch', async () => {
await createUserViaApi(page, { ...testUser, role: 'user' });
});
await test.step('Login as first user', async () => {
await navigateToLogin(page);
await loginWithCredentials(page, adminEmail, TEST_PASSWORD);
});
await test.step('Note session storage', async () => {
firstSessionToken = await getAuthToken(page);
expect(firstSessionToken).toBeTruthy();
});
await test.step('Logout', async () => {
await logoutUser(page);
});
await test.step('Verify session cleared', async () => {
await navigateToLogin(page);
const emailInput = page.locator('input[type="email"]').or(page.getByLabel(/email/i)).first();
await expect(emailInput).toBeVisible({ timeout: 15000 });
const meAfterLogout = await page.request.get('/api/v1/auth/me');
expect([401, 403]).toContain(meAfterLogout.status());
});
await test.step('Login as different user', async () => {
await loginWithCredentials(page, testUser.email, testUser.password);
});
await test.step('Verify new session established', async () => {
await expect.poll(async () => {
try {
return await getAuthToken(page);
} catch {
return '';
}
}, {
timeout: 15000,
message: 'Expected new auth token for second login',
}).not.toBe('');
const token = await getAuthToken(page);
expect(token).toBeTruthy();
expect(token).not.toBe(firstSessionToken);
const dashboard = page.getByRole('main').first();
await expect(dashboard).toBeVisible();
const meAfterRelogin = await page.request.get('/api/v1/auth/me', {
headers: buildAuthHeaders(token),
});
expect(meAfterRelogin.ok()).toBe(true);
const currentUser = await meAfterRelogin.json();
expect(currentUser).toEqual(expect.objectContaining({ email: testUser.email }));
});
});
});
/**
* PR-3: Passthrough User — Access Restriction (F4)
*
* Verifies that a passthrough-role user is redirected to the
* PassthroughLanding page when they attempt to access management routes,
* and that they cannot reach the admin Users page.
*/
test.describe('PR-3: Passthrough User Access Restriction (F4)', () => {
let adminEmail = '';
test.beforeEach(async ({ page, adminUser }) => {
await resetSecurityState(page);
adminEmail = adminUser.email;
await loginUser(page, adminUser);
await waitForLoadingComplete(page, { timeout: 15000 });
});
test('passthrough user is redirected to PassthroughLanding when accessing management routes', async ({ page }) => {
const suffix = uniqueSuffix();
const ptUser = {
email: `passthrough-${suffix}@test.local`,
name: `Passthrough User ${suffix}`,
password: 'PassthroughPass123!',
role: 'passthrough' as 'admin' | 'user' | 'passthrough',
};
let ptUserId: string | number | undefined;
await test.step('Admin creates a passthrough-role user directly', async () => {
const token = await page.evaluate(() => localStorage.getItem('charon_auth_token') || '');
const resp = await page.request.post('/api/v1/users', {
data: ptUser,
headers: token ? { Authorization: `Bearer ${token}` } : {},
});
expect(resp.ok()).toBe(true);
const body = await resp.json();
ptUserId = body.id;
});
await test.step('Admin logs out', async () => {
await logoutUser(page);
});
await test.step('Passthrough user logs in', async () => {
await navigateToLogin(page);
await loginWithCredentials(page, ptUser.email, ptUser.password);
// Wait for the initial post-login navigation to settle before probing routes
await page.waitForURL(/^\/?((?!login).)*$/, { timeout: 10000 }).catch(() => {});
});
await test.step('Passthrough user navigating to management route is redirected to /passthrough', async () => {
await page.goto('/settings/users', { waitUntil: 'domcontentloaded' }).catch(() => {});
await page.waitForURL(/\/passthrough/, { timeout: 15000 });
await expect(page).toHaveURL(/\/passthrough/);
});
await test.step('PassthroughLanding displays welcome heading and no-access message', async () => {
await expect(page.getByRole('heading', { level: 1 })).toBeVisible();
await expect(
page.getByText(/do not have access to the management interface/i)
).toBeVisible();
});
await test.step('PassthroughLanding shows a logout button', async () => {
await expect(page.getByRole('button', { name: /logout/i })).toBeVisible();
});
await test.step('Cleanup: admin logs back in and deletes passthrough user', async () => {
// Logout passthrough user
await page.getByRole('button', { name: /logout/i }).click();
await page.waitForURL(/login/, { timeout: 10000 });
// Login as admin
await loginWithCredentials(page, adminEmail, TEST_PASSWORD);
const token = await page.evaluate(() => localStorage.getItem('charon_auth_token') || '');
if (ptUserId !== undefined) {
await page.request.delete(`/api/v1/users/${ptUserId}`, {
headers: token ? { Authorization: `Bearer ${token}` } : {},
});
}
});
});
});
/**
* PR-3: Regular User — No Admin-Only Nav Items (F9)
*
* Verifies that a regular (non-admin) user does not see the "Users"
* navigation item, which is restricted to admins only.
*/
test.describe('PR-3: Regular User Has No Admin Navigation Items (F9)', () => {
let adminEmail = '';
test.beforeEach(async ({ page, adminUser }) => {
await resetSecurityState(page);
adminEmail = adminUser.email;
await loginUser(page, adminUser);
await waitForLoadingComplete(page, { timeout: 15000 });
});
test('regular user does not see the Users navigation item', async ({ page }) => {
const suffix = uniqueSuffix();
const regularUserData = {
email: `navtest-user-${suffix}@test.local`,
name: `Nav Test User ${suffix}`,
password: 'NavTestPass123!',
role: 'user' as 'admin' | 'user' | 'passthrough',
};
let regularUserId: string | number | undefined;
await test.step('Admin creates a regular user', async () => {
const token = await page.evaluate(() => localStorage.getItem('charon_auth_token') || '');
const resp = await page.request.post('/api/v1/users', {
data: regularUserData,
headers: token ? { Authorization: `Bearer ${token}` } : {},
});
expect(resp.ok()).toBe(true);
const body = await resp.json();
regularUserId = body.id;
});
await test.step('Admin logs out', async () => {
await logoutUser(page);
});
await test.step('Regular user logs in', async () => {
await navigateToLogin(page);
await loginWithCredentials(page, regularUserData.email, regularUserData.password);
await waitForLoadingComplete(page, { timeout: 15000 });
});
await test.step('Verify "Users" nav item is NOT visible for regular user', async () => {
const nav = page.getByRole('navigation').first();
await expect(nav.getByRole('link', { name: 'Users' })).not.toBeVisible();
});
await test.step('Verify other nav items ARE visible (navigation renders for regular users)', async () => {
const nav = page.getByRole('navigation').first();
await expect(nav.getByRole('link', { name: /dashboard/i })).toBeVisible();
});
await test.step('Cleanup: admin logs back in and deletes regular user', async () => {
await logoutUser(page);
await navigateToLogin(page);
await loginWithCredentials(page, adminEmail, TEST_PASSWORD);
const token = await page.evaluate(() => localStorage.getItem('charon_auth_token') || '');
if (regularUserId !== undefined) {
await page.request.delete(`/api/v1/users/${regularUserId}`, {
headers: token ? { Authorization: `Bearer ${token}` } : {},
});
}
});
});
test('admin user sees the Users navigation item', async ({ page }) => {
await test.step('Navigate to settings to reveal Settings sub-navigation', async () => {
await page.goto('/settings/users');
await waitForLoadingComplete(page);
});
await test.step('Verify "Users" nav item is visible for admin in Settings nav', async () => {
await expect(page.getByRole('link', { name: 'Users', exact: true })).toBeVisible();
});
});
});

1455
tests/settings/user-management.spec.ts Normal file
View File

File diff suppressed because it is too large Load Diff