first round of review

frontend/e2e/auth.spec.ts

@@ -5,9 +5,9 @@ function uniqueEmail(): string {
   return `test-${Date.now()}-${Math.random().toString(36).substring(7)}@example.com`;
 }
 
-// Helper to clear localStorage
+// Helper to clear auth cookies
 async function clearAuth(page: Page) {
-  await page.evaluate(() => localStorage.clear());
+  await page.context().clearCookies();
 }
 
 test.describe("Authentication Flow", () => {
@@ -83,7 +83,7 @@ test.describe("Signup", () => {
     await page.click('button[type="submit"]');
     await expect(page).toHaveURL("/");
 
-    // Clear and try again with same email
+    // Clear cookies and try again with same email
     await clearAuth(page);
     await page.goto("/signup");
     await page.fill('input[type="email"]', email);
@@ -248,7 +248,7 @@ test.describe("Session Persistence", () => {
     await expect(page.getByText(email)).toBeVisible();
   });
 
-  test("token is stored in localStorage", async ({ page }) => {
+  test("auth cookie is set after login", async ({ page }) => {
     const email = uniqueEmail();
 
     await page.goto("/signup");
@@ -258,13 +258,14 @@ test.describe("Session Persistence", () => {
     await page.click('button[type="submit"]');
     await expect(page).toHaveURL("/");
 
-    // Check localStorage
-    const token = await page.evaluate(() => localStorage.getItem("token"));
-    expect(token).toBeTruthy();
-    expect(token!.length).toBeGreaterThan(10);
+    // Check cookies
+    const cookies = await page.context().cookies();
+    const authCookie = cookies.find((c) => c.name === "auth_token");
+    expect(authCookie).toBeTruthy();
+    expect(authCookie!.httpOnly).toBe(true);
   });
 
-  test("token is cleared on logout", async ({ page }) => {
+  test("auth cookie is cleared on logout", async ({ page }) => {
     const email = uniqueEmail();
 
     await page.goto("/signup");
@@ -276,8 +277,9 @@ test.describe("Session Persistence", () => {
 
     await page.click("text=Sign out");
 
-    const token = await page.evaluate(() => localStorage.getItem("token"));
-    expect(token).toBeNull();
+    const cookies = await page.context().cookies();
+    const authCookie = cookies.find((c) => c.name === "auth_token");
+    // Cookie should be deleted or have empty value
+    expect(!authCookie || authCookie.value === "").toBe(true);
   });
 });
-

frontend/e2e/counter.spec.ts

@@ -8,7 +8,7 @@ function uniqueEmail(): string {
 // Helper to authenticate a user
 async function authenticate(page: Page): Promise<string> {
   const email = uniqueEmail();
-  await page.evaluate(() => localStorage.clear());
+  await page.context().clearCookies();
   await page.goto("/signup");
   await page.fill('input[type="email"]', email);
   await page.fill('input[type="password"]', "password123");
@@ -95,13 +95,13 @@ test.describe("Counter - Authenticated", () => {
 
 test.describe("Counter - Unauthenticated", () => {
   test("redirects to login when accessing counter without auth", async ({ page }) => {
-    await page.evaluate(() => localStorage.clear());
+    await page.context().clearCookies();
     await page.goto("/");
     await expect(page).toHaveURL("/login");
   });
 
   test("shows login form when redirected", async ({ page }) => {
-    await page.evaluate(() => localStorage.clear());
+    await page.context().clearCookies();
     await page.goto("/");
     await expect(page.locator("h1")).toHaveText("Welcome back");
   });
@@ -138,11 +138,11 @@ test.describe("Counter - Session Integration", () => {
   test("counter API requires authentication", async ({ page }) => {
     // Try to access counter API directly without auth
     const response = await page.request.get("http://localhost:8000/api/counter");
-    expect(response.status()).toBe(403);
+    expect(response.status()).toBe(401);
   });
 
   test("counter increment API requires authentication", async ({ page }) => {
     const response = await page.request.post("http://localhost:8000/api/counter/increment");
-    expect(response.status()).toBe(403);
+    expect(response.status()).toBe(401);
   });
 });