merged tests
This commit is contained in:
parent
4be45f8f7c
commit
67ffe6a823
GPG key ID:
883EDBAA726BD96C
7 changed files with 212 additions and 599 deletions
|
|
@ -64,42 +64,23 @@ test.describe("Regular User Access", () => {
|
|||
await loginUser(page, REGULAR_USER.email, REGULAR_USER.password);
|
||||
});
|
||||
|
||||
test("redirected from home to exchange page", async ({ page }) => {
|
||||
test("can access exchange and trades pages with correct navigation", async ({ page }) => {
|
||||
// Test redirect from home
|
||||
await page.goto("/");
|
||||
|
||||
// Should be redirected to exchange page
|
||||
await expect(page).toHaveURL("/exchange");
|
||||
});
|
||||
|
||||
test("can access exchange page", async ({ page }) => {
|
||||
// Test exchange page access
|
||||
await page.goto("/exchange");
|
||||
|
||||
// Should stay on exchange page
|
||||
await expect(page).toHaveURL("/exchange");
|
||||
|
||||
// Should see exchange UI
|
||||
await expect(page.getByText("Exchange Bitcoin")).toBeVisible();
|
||||
});
|
||||
|
||||
test("can access trades page", async ({ page }) => {
|
||||
// Test trades page access
|
||||
await page.goto("/trades");
|
||||
|
||||
// Should stay on trades page
|
||||
await expect(page).toHaveURL("/trades");
|
||||
|
||||
// Should see trades UI heading
|
||||
await expect(page.getByRole("heading", { name: "My Trades" })).toBeVisible();
|
||||
});
|
||||
|
||||
test("navigation shows exchange and trades", async ({ page }) => {
|
||||
await page.goto("/trades");
|
||||
|
||||
// From trades page, we can see the nav links
|
||||
// "My Trades" is the current page (shown as span, not link)
|
||||
// "Exchange" should be a link
|
||||
// Test navigation shows exchange and trades, but not admin links
|
||||
await expect(page.locator('a[href="/exchange"]').first()).toBeVisible();
|
||||
|
||||
// Should NOT see admin links
|
||||
const adminTradesLinks = page.locator('a[href="/admin/trades"]');
|
||||
await expect(adminTradesLinks).toHaveCount(0);
|
||||
});
|
||||
|
|
@ -111,42 +92,26 @@ test.describe("Admin User Access", () => {
|
|||
await loginUser(page, ADMIN_USER.email, ADMIN_USER.password);
|
||||
});
|
||||
|
||||
test("redirected from home to admin trades", async ({ page }) => {
|
||||
test("can access admin pages with correct navigation", async ({ page }) => {
|
||||
// Test redirect from home
|
||||
await page.goto("/");
|
||||
|
||||
// Should be redirected to admin trades page
|
||||
await expect(page).toHaveURL("/admin/trades");
|
||||
});
|
||||
|
||||
test("can access admin trades page", async ({ page }) => {
|
||||
// Test admin trades page
|
||||
await page.goto("/admin/trades");
|
||||
|
||||
// Should stay on admin trades page
|
||||
await expect(page).toHaveURL("/admin/trades");
|
||||
|
||||
// Should see trades UI (use heading for specificity)
|
||||
await expect(page.getByRole("heading", { name: "Trades" })).toBeVisible();
|
||||
});
|
||||
|
||||
test("can access admin availability page", async ({ page }) => {
|
||||
// Test admin availability page
|
||||
await page.goto("/admin/availability");
|
||||
|
||||
// Should stay on availability page
|
||||
await expect(page).toHaveURL("/admin/availability");
|
||||
|
||||
// Should see availability UI (use heading for specificity)
|
||||
await expect(page.getByRole("heading", { name: "Availability" })).toBeVisible();
|
||||
});
|
||||
|
||||
test("navigation shows admin links", async ({ page }) => {
|
||||
// Test navigation shows admin links but not regular user links
|
||||
await page.goto("/admin/trades");
|
||||
|
||||
// Should see admin nav items (use locator for nav links)
|
||||
await expect(page.locator('a[href="/admin/invites"]')).toBeVisible();
|
||||
await expect(page.locator('a[href="/admin/availability"]')).toBeVisible();
|
||||
await expect(page.locator('a[href="/admin/trades"]')).toHaveCount(0); // Current page, shown as text not link
|
||||
|
||||
// Should NOT see regular user links
|
||||
const exchangeLinks = page.locator('a[href="/exchange"]');
|
||||
await expect(exchangeLinks).toHaveCount(0);
|
||||
});
|
||||
|
|
@ -157,84 +122,69 @@ test.describe("Unauthenticated Access", () => {
|
|||
await clearAuth(page);
|
||||
});
|
||||
|
||||
test("home page redirects to login", async ({ page }) => {
|
||||
test("all protected pages redirect to login", async ({ page }) => {
|
||||
// Test home page redirect
|
||||
await page.goto("/");
|
||||
await expect(page).toHaveURL("/login");
|
||||
});
|
||||
|
||||
test("exchange page redirects to login", async ({ page }) => {
|
||||
// Test exchange page redirect
|
||||
await page.goto("/exchange");
|
||||
await expect(page).toHaveURL("/login");
|
||||
});
|
||||
|
||||
test("admin page redirects to login", async ({ page }) => {
|
||||
// Test admin page redirect
|
||||
await page.goto("/admin/trades");
|
||||
await expect(page).toHaveURL("/login");
|
||||
});
|
||||
});
|
||||
|
||||
test.describe("Permission Boundary via API", () => {
|
||||
test("regular user API call to admin trades returns 403", async ({ page, request }) => {
|
||||
// Login as regular user
|
||||
test("API calls respect permission boundaries", async ({ page, request }) => {
|
||||
// Test regular user cannot access admin API
|
||||
await clearAuth(page);
|
||||
await loginUser(page, REGULAR_USER.email, REGULAR_USER.password);
|
||||
|
||||
// Get cookies
|
||||
const cookies = await page.context().cookies();
|
||||
const authCookie = cookies.find((c) => c.name === "auth_token");
|
||||
let cookies = await page.context().cookies();
|
||||
let authCookie = cookies.find((c) => c.name === "auth_token");
|
||||
|
||||
if (authCookie) {
|
||||
// Try to call admin trades API directly
|
||||
const response = await request.get(`${API_URL}/api/admin/trades/upcoming`, {
|
||||
headers: {
|
||||
Cookie: `auth_token=${authCookie.value}`,
|
||||
},
|
||||
});
|
||||
|
||||
expect(response.status()).toBe(403);
|
||||
}
|
||||
});
|
||||
|
||||
test("admin user API call to exchange price returns 403", async ({ page, request }) => {
|
||||
// Login as admin
|
||||
// Test admin cannot access regular user API
|
||||
await clearAuth(page);
|
||||
await loginUser(page, ADMIN_USER.email, ADMIN_USER.password);
|
||||
|
||||
// Get cookies
|
||||
const cookies = await page.context().cookies();
|
||||
const authCookie = cookies.find((c) => c.name === "auth_token");
|
||||
cookies = await page.context().cookies();
|
||||
authCookie = cookies.find((c) => c.name === "auth_token");
|
||||
|
||||
if (authCookie) {
|
||||
// Try to call exchange price API directly (requires regular user permission)
|
||||
const response = await request.get(`${API_URL}/api/exchange/price`, {
|
||||
headers: {
|
||||
Cookie: `auth_token=${authCookie.value}`,
|
||||
},
|
||||
});
|
||||
|
||||
expect(response.status()).toBe(403);
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
test.describe("Session and Logout", () => {
|
||||
test("logout clears permissions - cannot access protected pages", async ({ page }) => {
|
||||
// Login
|
||||
test("logout clears permissions and tampered cookies are rejected", async ({ page, context }) => {
|
||||
// Test logout clears permissions
|
||||
await clearAuth(page);
|
||||
await loginUser(page, REGULAR_USER.email, REGULAR_USER.password);
|
||||
await expect(page).toHaveURL("/exchange");
|
||||
|
||||
// Logout
|
||||
await page.click("text=Sign out");
|
||||
await expect(page).toHaveURL("/login");
|
||||
|
||||
// Try to access exchange
|
||||
await page.goto("/exchange");
|
||||
await expect(page).toHaveURL("/login");
|
||||
});
|
||||
|
||||
test("cannot access pages with tampered cookie", async ({ page, context }) => {
|
||||
// Set a fake auth cookie
|
||||
// Test tampered cookie is rejected
|
||||
await context.addCookies([
|
||||
{
|
||||
name: "auth_token",
|
||||
|
|
@ -244,10 +194,7 @@ test.describe("Session and Logout", () => {
|
|||
},
|
||||
]);
|
||||
|
||||
// Try to access protected page
|
||||
await page.goto("/exchange");
|
||||
|
||||
// Should be redirected to login
|
||||
await expect(page).toHaveURL("/login");
|
||||
});
|
||||
});
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue