test(integration): use strong random passwords and harden afterAll

jacekradko · jacekradko · commit 22bba8a9ea14 · 2026-04-29T20:15:07.000-05:00
The fake-user generator built passwords as `${email}${randomHash}`, which
got flagged by FAPI's compromised-password check (HTTP 422
`form_password_compromised`) and broke the
`session-tasks-sign-in-reset-password` E2E flows.

Replace it with a high-entropy `fakerPassword()` helper that satisfies
default Clerk complexity rules. Also optional-chain the cleanup in
`components.test.ts` so a `beforeAll` timeout no longer cascades into a
`TypeError` that masks the real failure.
diff --git a/.changeset/fix-e2e-compromised-password.md b/.changeset/fix-e2e-compromised-password.md
@@ -0,0 +1,2 @@
+---
+---
diff --git a/integration/models/helpers.ts b/integration/models/helpers.ts
@@ -67,6 +67,21 @@ const dedent = (strings: string | Array<string>, ...values: Array<string>) => {
 
 export const hash = () => randomBytes(5).toString('hex');
 
+/**
+ * Generates a strong, unique password for fake test users.
+ *
+ * Avoids any pattern derived from the user's email or other guessable inputs,
+ * so it doesn't collide with HIBP / compromised-password lists that would
+ * cause FAPI to reject sign-in with `form_password_compromised` (HTTP 422).
+ *
+ * Includes upper, lower, digit, and symbol to satisfy default Clerk password
+ * complexity rules.
+ */
+export const fakerPassword = () => {
+  const bytes = randomBytes(18).toString('base64url');
+  return `Aa1!${bytes}`;
+};
+
 export const waitUntilMessage = async (stream: Readable, message: string) => {
   return new Promise<void>(resolve => {
     stream.on('data', chunk => {
diff --git a/integration/testUtils/usersService.ts b/integration/testUtils/usersService.ts
@@ -1,7 +1,7 @@
 import type { APIKey, ClerkClient, Organization, User } from '@clerk/backend';
 import { faker } from '@faker-js/faker';
 
-import { hash } from '../models/helpers';
+import { fakerPassword, hash } from '../models/helpers';
 
 async function withErrorLogging<T>(operation: string, fn: () => Promise<T>): Promise<T> {
   try {
@@ -133,7 +133,7 @@ export const createUserService = (clerkClient: ClerkClient) => {
         lastName: faker.person.lastName(),
         email: withEmail ? email : undefined,
         username: withUsername ? `${randomHash}_clerk_cookie` : undefined,
-        password: withPassword ? `${email}${randomHash}` : undefined,
+        password: withPassword ? fakerPassword() : undefined,
         phoneNumber: withPhoneNumber ? phoneNumber : undefined,
         deleteIfExists: () => self.deleteIfExists({ email, phoneNumber }),
       };
diff --git a/integration/tests/components.test.ts b/integration/tests/components.test.ts
@@ -20,8 +20,8 @@ testAgainstRunningApps({ withEnv: [appConfigs.envs.withEmailCodes] })('component
 
   test.afterAll(async () => {
     await app.teardown();
-    await fakeUser.deleteIfExists();
-    await fakeOrganization.delete();
+    await fakeUser?.deleteIfExists();
+    await fakeOrganization?.delete();
   });
 
   const components = [
