|
| 1 | +/* funnel-recovery.spec.ts — mocked-contract Playwright gate for the |
| 2 | + * auth/claim funnel-recovery surfaces shipped 2026-06-10: |
| 3 | + * |
| 4 | + * F4 — the magic-link "we sent a link" state is no longer a silent |
| 5 | + * dead-end: it offers a Resend affordance + a GitHub-OAuth fallback |
| 6 | + * (email delivery is 100%-failing while the Brevo sender is |
| 7 | + * unvalidated, so this is the only path off the screen). |
| 8 | + * F6 — the /claim dead-ends (tokenless "Missing claim link" + invalid/ |
| 9 | + * expired token) surface GitHub OAuth as a primary recovery CTA. |
| 10 | + * D2 — the CLI device-flow: /login?cli_session=<id> forwards the id |
| 11 | + * through the OAuth/magic-link return_to so LoginCallbackPage can |
| 12 | + * POST /auth/cli/{id}/complete after sign-in. |
| 13 | + * |
| 14 | + * Runs under the DEFAULT mocked config (playwright.config.ts → VITE_NO_PROXY=1, |
| 15 | + * same-origin), so every page.route() glob below intercepts the SPA's fetch and |
| 16 | + * no upstream api is contacted. This is the browser-rendered, real-src/api layer |
| 17 | + * that complements the vitest component tests (which stub the api module). |
| 18 | + */ |
| 19 | + |
| 20 | +import { expect, test, type Page, type Route } from '@playwright/test' |
| 21 | + |
| 22 | +// ─── Constants ─────────────────────────────────────────────────────────────── |
| 23 | +const EMAIL_START_PATH = '**/auth/email/start' |
| 24 | +const AUTH_ME_PATH = '**/auth/me' |
| 25 | +const CLI_COMPLETE_PATH = /\/auth\/cli\/[^/]+\/complete$/ |
| 26 | +const TEST_EMAIL = 'founder@acme.dev' |
| 27 | +const CLI_SESSION_ID = 'cli_sess_abc123' |
| 28 | +const SESSION_TOKEN = 'sess_jwt_callback' |
| 29 | + |
| 30 | +/** Mock POST /auth/email/start → 202 (the api returns 202 regardless of |
| 31 | + * whether the email exists). Captures the request body so the test can assert |
| 32 | + * the return_to carries the cli_session when present. */ |
| 33 | +async function mockEmailStart(page: Page, captured: { body?: any; count: number }) { |
| 34 | + await page.route(EMAIL_START_PATH, (route: Route) => { |
| 35 | + if (route.request().method() !== 'POST') return route.continue() |
| 36 | + captured.count += 1 |
| 37 | + captured.body = JSON.parse(route.request().postData() ?? '{}') |
| 38 | + return route.fulfill({ status: 202, contentType: 'application/json', body: '{}' }) |
| 39 | + }) |
| 40 | +} |
| 41 | + |
| 42 | +/** Mock GET /auth/me → 200 so the callback page's post-token verification |
| 43 | + * succeeds and it proceeds to navigation. */ |
| 44 | +async function mockAuthMe(page: Page) { |
| 45 | + await page.route(AUTH_ME_PATH, (route: Route) => |
| 46 | + route.fulfill({ |
| 47 | + status: 200, |
| 48 | + contentType: 'application/json', |
| 49 | + body: JSON.stringify({ ok: true, user_id: 'u1', team_id: 't1', email: TEST_EMAIL, tier: 'free' }), |
| 50 | + }), |
| 51 | + ) |
| 52 | +} |
| 53 | + |
| 54 | +// ─── F4: magic-link sent state is not a dead-end ───────────────────────────── |
| 55 | + |
| 56 | +test.describe('F4 — magic-link recovery affordances', () => { |
| 57 | + async function reachSentState(page: Page) { |
| 58 | + await page.getByTestId('email-input').fill(TEST_EMAIL) |
| 59 | + await page.getByTestId('email-submit').click() |
| 60 | + await expect(page.getByTestId('magic-link-sent')).toBeVisible() |
| 61 | + } |
| 62 | + |
| 63 | + test('the sent state renders Resend + GitHub-fallback controls', async ({ page }) => { |
| 64 | + const cap = { count: 0 } as { body?: any; count: number } |
| 65 | + await mockEmailStart(page, cap) |
| 66 | + await page.goto('/login') |
| 67 | + await reachSentState(page) |
| 68 | + await expect(page.getByTestId('magic-link-resend')).toBeVisible() |
| 69 | + await expect(page.getByTestId('magic-link-github-fallback')).toBeVisible() |
| 70 | + }) |
| 71 | + |
| 72 | + test('Resend re-fires POST /auth/email/start', async ({ page }) => { |
| 73 | + const cap = { count: 0 } as { body?: any; count: number } |
| 74 | + await mockEmailStart(page, cap) |
| 75 | + await page.goto('/login') |
| 76 | + await reachSentState(page) |
| 77 | + expect(cap.count).toBe(1) |
| 78 | + await page.getByTestId('magic-link-resend').click() |
| 79 | + await expect.poll(() => cap.count).toBe(2) |
| 80 | + }) |
| 81 | + |
| 82 | + test('the GitHub fallback navigates to the OAuth start handler', async ({ page }) => { |
| 83 | + const cap = { count: 0 } as { body?: any; count: number } |
| 84 | + await mockEmailStart(page, cap) |
| 85 | + // The github/start redirect leaves the SPA — intercept it so the test |
| 86 | + // doesn't navigate to the real api. Asserting the URL we were sent to. |
| 87 | + await page.route('**/auth/github/start*', (route: Route) => |
| 88 | + route.fulfill({ status: 200, contentType: 'text/html', body: '<html>oauth start</html>' }), |
| 89 | + ) |
| 90 | + await page.goto('/login') |
| 91 | + await reachSentState(page) |
| 92 | + await Promise.all([ |
| 93 | + page.waitForURL(/\/auth\/github\/start\?return_to=/), |
| 94 | + page.getByTestId('magic-link-github-fallback').click(), |
| 95 | + ]) |
| 96 | + }) |
| 97 | +}) |
| 98 | + |
| 99 | +// ─── F6: claim dead-ends surface GitHub OAuth ──────────────────────────────── |
| 100 | + |
| 101 | +test.describe('F6 — claim funnel recovery via GitHub OAuth', () => { |
| 102 | + test('the tokenless "Missing claim link" state surfaces a GitHub CTA', async ({ page }) => { |
| 103 | + await page.goto('/claim') |
| 104 | + await expect(page.getByText(/missing claim link/i)).toBeVisible() |
| 105 | + await expect(page.getByTestId('claim-github-oauth')).toBeVisible() |
| 106 | + }) |
| 107 | + |
| 108 | + test('the invalid/expired-link state surfaces a GitHub CTA', async ({ page }) => { |
| 109 | + await page.goto('/claim?t=not-a-valid-jwt-blob') |
| 110 | + await expect(page.getByTestId('claim-invalid')).toBeVisible() |
| 111 | + await expect(page.getByTestId('claim-github-oauth')).toBeVisible() |
| 112 | + }) |
| 113 | + |
| 114 | + test('the GitHub CTA navigates to the OAuth start handler', async ({ page }) => { |
| 115 | + await page.route('**/auth/github/start*', (route: Route) => |
| 116 | + route.fulfill({ status: 200, contentType: 'text/html', body: '<html>oauth start</html>' }), |
| 117 | + ) |
| 118 | + await page.goto('/claim') |
| 119 | + await Promise.all([ |
| 120 | + page.waitForURL(/\/auth\/github\/start\?return_to=/), |
| 121 | + page.getByTestId('claim-github-oauth').click(), |
| 122 | + ]) |
| 123 | + }) |
| 124 | +}) |
| 125 | + |
| 126 | +// ─── D2: CLI device-flow — cli_session preserved + completed ───────────────── |
| 127 | + |
| 128 | +test.describe('D2 — CLI device-flow completion', () => { |
| 129 | + test('LoginPage forwards cli_session into the magic-link return_to', async ({ page }) => { |
| 130 | + const cap = { count: 0 } as { body?: any; count: number } |
| 131 | + await mockEmailStart(page, cap) |
| 132 | + await page.goto(`/login?cli_session=${CLI_SESSION_ID}`) |
| 133 | + await page.getByTestId('email-input').fill(TEST_EMAIL) |
| 134 | + await page.getByTestId('email-submit').click() |
| 135 | + await expect(page.getByTestId('magic-link-sent')).toBeVisible() |
| 136 | + // The return_to the SPA sent the api must carry the cli_session so the |
| 137 | + // post-auth callback can complete the device flow. |
| 138 | + expect(cap.body?.return_to).toContain(`/login/callback?cli_session=${CLI_SESSION_ID}`) |
| 139 | + }) |
| 140 | + |
| 141 | + test('the callback POSTs /auth/cli/{id}/complete then lands the user on /app', async ({ page }) => { |
| 142 | + await mockAuthMe(page) |
| 143 | + const completeCap = { id: '', count: 0 } |
| 144 | + await page.route(CLI_COMPLETE_PATH, (route: Route) => { |
| 145 | + completeCap.count += 1 |
| 146 | + // Pull the session id out of the path: /auth/cli/<id>/complete |
| 147 | + const m = new URL(route.request().url()).pathname.match(/\/auth\/cli\/([^/]+)\/complete$/) |
| 148 | + completeCap.id = m ? decodeURIComponent(m[1]) : '' |
| 149 | + return route.fulfill({ status: 200, contentType: 'application/json', body: JSON.stringify({ ok: true }) }) |
| 150 | + }) |
| 151 | + |
| 152 | + // The callback uses the legacy ?session_token path (no cookie exchange |
| 153 | + // needed for the mock) + ?cli_session to trigger completion. |
| 154 | + await page.goto(`/login/callback?session_token=${SESSION_TOKEN}&cli_session=${CLI_SESSION_ID}`) |
| 155 | + await expect(page).toHaveURL(/\/app\/?$/) |
| 156 | + expect(completeCap.count).toBe(1) |
| 157 | + expect(completeCap.id).toBe(CLI_SESSION_ID) |
| 158 | + }) |
| 159 | + |
| 160 | + test('a cli-completion failure does NOT block the user sign-in (still lands on /app)', async ({ page }) => { |
| 161 | + await mockAuthMe(page) |
| 162 | + await page.route(CLI_COMPLETE_PATH, (route: Route) => |
| 163 | + route.fulfill({ status: 404, contentType: 'application/json', body: JSON.stringify({ error: 'session_not_found' }) }), |
| 164 | + ) |
| 165 | + await page.goto(`/login/callback?session_token=${SESSION_TOKEN}&cli_session=${CLI_SESSION_ID}`) |
| 166 | + // completeCliSession swallows the error; the browser user must still |
| 167 | + // reach the app. |
| 168 | + await expect(page).toHaveURL(/\/app\/?$/) |
| 169 | + }) |
| 170 | + |
| 171 | + test('no cli_session → the callback never calls /auth/cli/.../complete', async ({ page }) => { |
| 172 | + await mockAuthMe(page) |
| 173 | + let completeCalled = false |
| 174 | + await page.route(CLI_COMPLETE_PATH, (route: Route) => { |
| 175 | + completeCalled = true |
| 176 | + return route.fulfill({ status: 200, contentType: 'application/json', body: JSON.stringify({ ok: true }) }) |
| 177 | + }) |
| 178 | + await page.goto(`/login/callback?session_token=${SESSION_TOKEN}`) |
| 179 | + await expect(page).toHaveURL(/\/app\/?$/) |
| 180 | + expect(completeCalled).toBe(false) |
| 181 | + }) |
| 182 | +}) |
0 commit comments