17 KiB
E2E Test Failure Investigation Report
Date: January 29, 2026 Status: Investigation Complete Author: Planning Agent Context: 4 remaining failures after reducing from 16 total failures
Executive Summary
After thorough investigation, all 4 remaining E2E test failures are classified as Environment Issues or Infrastructure Gaps. None are code bugs in the application. The root cause is that security modules (Cerberus, WAF, ACL) rely on Caddy middleware integration that doesn't exist in the E2E test Docker container.
| Test | Classification | Root Cause | Fix Effort |
|---|---|---|---|
| emergency-server.spec.ts:150 | Environment Issue | ACL middleware not injected into Caddy | Medium |
| combined-enforcement.spec.ts:99 | Infrastructure Gap | Cerberus settings saved but not enforced | Medium |
| waf-enforcement.spec.ts:151 | Infrastructure Gap | WAF status set but Coraza not running | Medium |
| user-management.spec.ts:71 | Environment Issue | General test flakiness | Low |
Failure 1: emergency-server.spec.ts:150
Test Purpose
Test Name: "Test 3: Emergency server bypasses main app security"
Goal: Verify that when ACL is enabled and blocking requests on the main app (port 8080), the emergency server (port 2020) can still bypass security to reset settings.
Relevant Code (Lines 135-170)
// Step 1: Enable security on main app (port 8080)
await request.post('/api/v1/settings', {
data: { key: 'feature.cerberus.enabled', value: 'true' },
});
// Create restrictive ACL on main app
const { id: aclId } = await testData.createAccessList({
name: 'test-emergency-server-acl',
type: 'whitelist',
ipRules: [{ cidr: '192.168.99.0/24', description: 'Unreachable network' }],
enabled: true,
});
await request.post('/api/v1/settings', {
data: { key: 'security.acl.enabled', value: 'true' },
});
// Wait for settings to propagate
await new Promise(resolve => setTimeout(resolve, 3000));
// Step 2: Verify main app blocks requests (403)
const mainAppResponse = await request.get('/api/v1/proxy-hosts');
expect(mainAppResponse.status()).toBe(403); // <-- FAILS HERE: Receives 200
Root Cause Analysis
Classification: Environment Issue / Infrastructure Gap
Analysis:
- Setting is saved correctly: The test successfully calls the settings API to enable ACL
- Database updates succeed: The settings are stored in SQLite
- ACL enforcement missing: The ACL is a Caddy middleware that filters requests at the proxy layer
The Architecture Gap:
Looking at ARCHITECTURE.md, ACL enforcement happens at the Caddy proxy layer:
Internet → Caddy → Rate Limiter → CrowdSec → ACL → WAF → Backend
In the E2E Docker container (docker-compose.playwright-local.yml), Playwright makes direct HTTP requests to port 8080 which goes directly to the Go backend, not through Caddy's security middleware pipeline.
Why ACL Doesn't Block:
- Playwright calls
http://localhost:8080/api/v1/proxy-hosts - This hits the Go backend directly (Gin HTTP server)
- The backend checks the setting but doesn't enforce ACL blocking (that's Caddy's job)
- Response returns 200 OK because the backend doesn't implement ACL enforcement
Evidence:
From docker-compose.playwright-local.yml:
ports:
- "8080:8080" # Management UI (Charon) - Direct backend access
The test environment doesn't route traffic through the security middleware.
Recommendation
Option A (Recommended): Skip Test with Documentation - Low Effort
The test is designed for a full integration environment where Caddy routes all traffic. In the E2E container, security enforcement tests are not meaningful.
test.skip('Test 3: Emergency server bypasses main app security', async ({ request }) => {
// SKIP: This test requires Caddy middleware integration which is not available
// in the E2E Docker container. Security enforcement happens at the Caddy layer,
// not the Go backend. The test is architecturally invalid for direct API testing.
});
Option B: Implement Backend-Level ACL Check - High Effort
Add ACL enforcement middleware to the Go backend so it validates IP rules even without Caddy:
// backend/internal/api/middleware/acl_middleware.go
func ACLMiddleware(settingsService *services.SettingsService) gin.HandlerFunc {
return func(c *gin.Context) {
if isACLEnabled(settingsService) && !isIPAllowed(c.ClientIP()) {
c.AbortWithStatus(http.StatusForbidden)
return
}
c.Next()
}
}
Effort Estimate:
- Option A: 10 minutes (add test.skip with documentation)
- Option B: 4-8 hours (implement backend ACL middleware, test, update tests)
Failure 2: combined-enforcement.spec.ts:99
Test Purpose
Test Name: "should enable all security modules simultaneously"
Goal: Enable all security modules (Cerberus, ACL, WAF, Rate Limit, CrowdSec) and verify they report as enabled.
Relevant Code (Lines 85-115)
// Enable Cerberus first (master toggle) with extended wait for propagation
await setSecurityModuleEnabled(requestContext, 'cerberus', true);
await new Promise((resolve) => setTimeout(resolve, 5000));
// Use polling pattern to wait for Cerberus to be enabled
try {
await expect(async () => {
const status = await getSecurityStatus(requestContext);
expect(status.cerberus.enabled).toBe(true); // <-- TIMES OUT HERE
}).toPass({ timeout: 30000, intervals: [2000, 3000, 5000, 5000, 5000] });
} catch {
console.log('⚠ Cerberus could not be enabled...');
testInfo.skip(true, 'Cerberus could not be enabled - possible test isolation issue');
return;
}
Root Cause Analysis
Classification: Infrastructure Gap
Analysis:
- Settings API works: The test successfully posts to
/api/v1/settings - Database updates: The
feature.cerberus.enabledsetting is stored - Status check returns stale data: The
/api/v1/security/statusendpoint may not reflect the new state
The Race Condition:
Looking at the security helpers:
await request.post('/api/v1/settings', { data: { key, value } });
// Wait a brief moment for Caddy config reload
await new Promise((resolve) => setTimeout(resolve, 500));
The 500ms wait is insufficient for:
- Database write to complete
- Caddy manager to detect the change
- Caddy to reload configuration
- Security status API to reflect new state
Parallel Test Contamination:
The test file header comments mention:
"Due to parallel test execution and shared database state, we need to be resilient to timing issues."
The 30s timeout suggests the test has already been extended. The issue is that:
- Multiple test files run in parallel
- They share the same SQLite database
- One test may enable security while another disables it
- Settings race condition causes intermittent failures
Evidence from helpers:
// tests/utils/security-helpers.ts:129
await setSecurityModuleEnabled(request, 'cerberus', true);
The helper waits only 500ms after the POST, but Caddy reload can take 2-5 seconds.
Recommendation
Option A (Recommended): Increase Timeouts and Retry Logic - Low Effort
The test already has { timeout: 30000 } but the intervals may not be long enough to catch Caddy's reload cycle.
// Increase initial wait to 10 seconds for Caddy reload
await new Promise((resolve) => setTimeout(resolve, 10000));
// Use longer polling intervals
await expect(async () => {
const status = await getSecurityStatus(requestContext);
expect(status.cerberus.enabled).toBe(true);
}).toPass({ timeout: 45000, intervals: [5000, 5000, 5000, 10000, 10000, 10000] });
Option B: Force Serial Execution - Medium Effort
Add test.describe.configure({ mode: 'serial' }) to prevent parallel test contamination:
test.describe('Combined Security Enforcement', () => {
test.describe.configure({ mode: 'serial' });
// ... tests
});
Option C: Skip Test as Environmental - Low Effort
If security module testing is architecturally invalid without full Caddy integration:
test.skip('should enable all security modules simultaneously', async () => {
// SKIP: Security module status propagation depends on Caddy middleware
// integration which is not available in the E2E Docker container.
});
Effort Estimate:
- Option A: 30 minutes
- Option B: 15 minutes + regression testing
- Option C: 10 minutes
Failure 3: waf-enforcement.spec.ts:151
Test Purpose
Test Name: "should detect SQL injection patterns in request validation"
Goal: Verify that when WAF is enabled, the security status API reports it as enabled.
Relevant Code (Lines 140-165)
test('should detect SQL injection patterns in request validation', async () => {
// Mark as slow - security module status propagation requires extended timeouts
test.slow();
// Use polling pattern to verify WAF is enabled before checking
await expect(async () => {
const status = await getSecurityStatus(requestContext);
expect(status.waf.enabled).toBe(true); // <-- TIMES OUT HERE
}).toPass({ timeout: 15000, intervals: [2000, 3000, 5000] });
console.log('WAF configured - SQL injection blocking active at Caddy/Coraza layer');
});
Root Cause Analysis
Classification: Infrastructure Gap
Analysis:
This is the same root cause as Failure 2:
- WAF setting saved: The
beforeAllhook enables WAF via settings API - Coraza not running: The E2E Docker container doesn't run the Coraza WAF engine
- Status reflects setting, not runtime: The API may report the setting but not actual WAF functionality
Key Insight from Test Comments:
// WAF blocking happens at Caddy/Coraza layer before reaching the API
// This test documents the expected behavior when SQL injection is attempted
//
// Since we're making direct API requests (not through Caddy proxy),
// we verify the WAF is configured and document expected blocking behavior
The test acknowledges that WAF blocking doesn't work in this environment. The failure is intermittent because the status check sometimes succeeds before Caddy's reload cycle.
Recommendation
Option A (Recommended): Convert to Documentation Test - Low Effort
The test already documents expected behavior. Convert it to a non-conditional test:
test('should document WAF configuration (Coraza integration required)', async () => {
// Note: Full WAF blocking requires Caddy proxy with Coraza plugin.
// This test verifies the WAF configuration API responds correctly.
const response = await requestContext.get('/api/v1/security/status');
expect(response.ok()).toBe(true);
const status = await response.json();
expect(status.waf).toBeDefined();
// Don't assert on enabled state - it depends on Caddy reload timing
console.log('WAF configuration API accessible - blocking active at Caddy/Coraza layer');
});
Option B: Increase Timeout - Low Effort
The current 15s may be insufficient. Increase to 30s with longer intervals:
await expect(async () => {
const status = await getSecurityStatus(requestContext);
expect(status.waf.enabled).toBe(true);
}).toPass({ timeout: 30000, intervals: [3000, 5000, 5000, 5000, 5000, 5000] });
Option C: Skip Enforcement Tests - Low Effort
If the test environment can't meaningfully test WAF enforcement:
test.skip('should detect SQL injection patterns in request validation', async () => {
// SKIP: WAF enforcement requires Caddy+Coraza integration.
// Direct API requests bypass WAF middleware.
});
Effort Estimate:
- Option A: 20 minutes
- Option B: 10 minutes
- Option C: 10 minutes
Failure 4: user-management.spec.ts:71
Test Purpose
Test Name: "should display user list"
Goal: Verify the user management page loads correctly with a table of users.
Relevant Code (Lines 35-75)
test.beforeEach(async ({ page, adminUser }) => {
await loginUser(page, adminUser);
await waitForLoadingComplete(page);
await page.goto('/users');
await waitForLoadingComplete(page);
// Wait for page to stabilize - needed for parallel test runs
await page.waitForLoadState('networkidle', { timeout: 10000 }).catch(() => {});
});
test('should display user list', async ({ page }) => {
await test.step('Verify page URL and heading', async () => {
await expect(page).toHaveURL(/\/users/);
// Wait for page to fully load - heading may take time to render
const heading = page.getByRole('heading', { level: 1 });
await expect(heading).toBeVisible({ timeout: 10000 }); // <-- MAY FAIL HERE
});
await test.step('Verify user table is visible', async () => {
const table = page.getByRole('table');
await expect(table).toBeVisible(); // <-- OR HERE
});
// ...
});
Root Cause Analysis
Classification: Environment Issue (Flaky Test)
Analysis:
This is a general timeout failure, not related to security modules. The test fails because:
- Page Load Race: The
beforeEachhook may not fully wait for page stabilization - Parallel Test Interference: Other tests may be logging out/in simultaneously
- Network Timing: Docker container network may be slower under load
Evidence:
The test already includes mitigation attempts:
await page.waitForLoadState('networkidle', { timeout: 10000 }).catch(() => {});
The .catch(() => {}) suppresses timeouts silently, which can mask issues.
The Problem:
networkidlemay fire before React has fully hydrated- The heading element may not render until after data fetches complete
- The 10s timeout on
expect(heading).toBeVisible()may not be enough in slow CI environments
Recommendation
Option A (Recommended): Improve Wait Strategy - Low Effort
Add explicit waits for data-dependent elements:
test.beforeEach(async ({ page, adminUser }) => {
await loginUser(page, adminUser);
await waitForLoadingComplete(page);
await page.goto('/users');
await waitForLoadingComplete(page);
// Wait for actual user data to load, not just network idle
await page.waitForSelector('table tbody tr', { state: 'visible', timeout: 15000 }).catch(() => {});
});
test('should display user list', async ({ page }) => {
await test.step('Verify page URL and heading', async () => {
await expect(page).toHaveURL(/\/users/);
// Wait for heading with increased timeout for CI
const heading = page.getByRole('heading', { level: 1 });
await expect(heading).toBeVisible({ timeout: 15000 });
});
// ...
});
Option B: Mark Test as Slow - Low Effort
test('should display user list', async ({ page }) => {
test.slow(); // Triples default timeouts
// ... existing test code
});
Option C: Add Retry Config - Low Effort
In playwright.config.js:
{
retries: process.env.CI ? 2 : 0,
timeout: 45000, // Increase from 30s
}
Effort Estimate:
- Option A: 20 minutes
- Option B: 5 minutes
- Option C: 5 minutes (global config change)
Remediation Priority
| Priority | Test | Recommended Action | Effort |
|---|---|---|---|
| P1 | user-management.spec.ts:71 | Option B: Add test.slow() |
5 min |
| P2 | emergency-server.spec.ts:150 | Option A: Skip with documentation | 10 min |
| P2 | combined-enforcement.spec.ts:99 | Option A: Increase timeouts | 30 min |
| P2 | waf-enforcement.spec.ts:151 | Option A: Convert to documentation test | 20 min |
Total Estimated Effort: ~1 hour
Architectural Insight
The Core Issue
The E2E test environment routes requests directly to the Go backend (port 8080) rather than through the Caddy proxy (port 80/443) where security middleware is applied.
Current E2E Flow:
Playwright → :8080 → Go Backend → SQLite
(Security middleware bypassed)
Production Flow:
Browser → :443 → Caddy → Security Middleware → Go Backend → SQLite
(Full security enforcement)
Long-Term Recommendation
Option 1: Accept Limitation (Recommended Now)
Security enforcement tests are infrastructure tests, not E2E tests. They belong in integration tests that spin up full Caddy+Coraza stack.
Option 2: Create Full Integration Test Environment (Future)
Add a separate Docker Compose configuration that:
- Routes all traffic through Caddy
- Runs Coraza WAF plugin
- Configures CrowdSec bouncer
- Enables full security middleware pipeline
This would require:
- New
docker-compose.integration-security.yml - Separate Playwright project for security tests
- CI pipeline updates
- ~2-4 hours setup effort
Conclusion
All 4 failures are not application bugs. They are either:
- Infrastructure gaps - Security modules require Caddy middleware integration
- Timing issues - Insufficient waits for asynchronous operations
- Test design issues - Tests written for an environment they don't run in
The recommended path forward is to:
- Apply quick fixes (skip or increase timeouts) to unblock CI
- Document the architectural limitation in test comments
- Consider adding dedicated security integration tests in the future