Commit d93577c
test(e2e): UI↔backend auth-contract cookie-exchange round-trip integration (#167)
Adds the missing end-to-end integration test for the AUTH-004 cookie-exchange
seam — the exact path that broke in the 2026-05-29 → 2026-05-30 prod-login
outage (web missing /auth/exchange POST; Accept header forcing a rejected
preflight; api missing access-control-allow-credentials). Unit tests were
green throughout; nothing exercised the UI↔backend contract end-to-end.
Existing gates already cover the CORS *envelope* (preflight headers + a
no-cookie cross-origin POST resolving + /auth/email/start=202): Layer-1
e2e/auth-contract.spec.ts (prod) and the api repo's Layer-2 compose spec.
This adds the full ROUND-TRIP no other test covers:
real session JWT in the bridge cookie (what /auth/email/callback sets)
→ browser credentials:'include' POST /auth/exchange (cross-origin)
→ cookie SENT cross-origin AND ACAC lets JS read {token}
→ that token as Authorization: Bearer on GET /auth/me → 200 + claimed email
It can't drive the literal /auth/email/callback (the single-use token lives
only in the api's magic_links table, is emailed, never API-returned; Brevo
sender is unvalidated so no inbox in prod/CI). Instead it reconstructs the
exact post-callback browser state: provision (/cache/new) → claim (/claim)
against the live api for a REAL user_id/team_id, then plants a session JWT
(HS256, claim shape mirrors api e2e makeSessionJWTWithUser) in the same
instanode_session_exchange cookie setExchangeCookie writes, and drives the
SPA's real exchange→Bearer→/auth/me path unchanged.
Gating / how it runs:
- Needs a NON-prod api (compose http://localhost:8080 or staging) + the
stack JWT_SECRET (E2E_JWT_SECRET). Self-skips LOUDLY when the secret is
absent or the provisioning backend returns 503 — skipped, never a false red.
- Refuses to target prod (planting a bridge cookie needs the stack secret,
which never enters this repo's CI).
- Wired as a workflow_dispatch-only `auth-roundtrip` job in
.github/workflows/auth-contract-e2e.yml (run_roundtrip input). The
authoritative pre-merge round-trip gate lives in the api repo's Layer-2
compose workflow (builds the api from PR source, has the stack-local
secret); this is the instanode-web-side companion for staging/compose.
Verified: tsc/build/vitest gate green (1107 pass); spec compiles + is
discovered by Playwright; self-skips cleanly with no secret; existing
Layer-1 contract smoke still passes against prod. Could not execute the
round-trip's live assertions locally — no reachable non-prod api available
(self-skips). Needs a compose/staging api to exercise.
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent 7aed876 commit d93577c
3 files changed
Lines changed: 461 additions & 0 deletions
File tree
- .github/workflows
- e2e
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
39 | 39 | | |
40 | 40 | | |
41 | 41 | | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
42 | 47 | | |
43 | 48 | | |
44 | 49 | | |
| |||
118 | 123 | | |
119 | 124 | | |
120 | 125 | | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
| 157 | + | |
| 158 | + | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
| 185 | + | |
| 186 | + | |
| 187 | + | |
| 188 | + | |
| 189 | + | |
| 190 | + | |
| 191 | + | |
| 192 | + | |
| 193 | + | |
| 194 | + | |
| 195 | + | |
| 196 | + | |
| 197 | + | |
| 198 | + | |
| 199 | + | |
| 200 | + | |
| 201 | + | |
| 202 | + | |
| 203 | + | |
| 204 | + | |
| 205 | + | |
| 206 | + | |
0 commit comments