200 lines
6.6 KiB
TypeScript
200 lines
6.6 KiB
TypeScript
import { test, expect, Page } from "@playwright/test";
|
|
|
|
/**
|
|
* Permission-based E2E tests
|
|
*
|
|
* These tests verify that:
|
|
* 1. Regular users can access exchange and trades pages
|
|
* 2. Admin users can access admin pages (trades, invites, availability)
|
|
* 3. Users are properly redirected based on their permissions
|
|
* 4. API calls respect permission boundaries
|
|
*/
|
|
|
|
const API_URL = process.env.NEXT_PUBLIC_API_URL || "http://localhost:8000";
|
|
|
|
// Test credentials - must match what's seeded in the database via seed.py
|
|
// These come from environment variables DEV_USER_EMAIL/PASSWORD and DEV_ADMIN_EMAIL/PASSWORD
|
|
// Tests will fail fast if these are not set
|
|
function getRequiredEnv(name: string): string {
|
|
const value = process.env[name];
|
|
if (!value) {
|
|
throw new Error(
|
|
`Required environment variable ${name} is not set. Run 'source .env' or set it in your environment.`
|
|
);
|
|
}
|
|
return value;
|
|
}
|
|
|
|
const REGULAR_USER = {
|
|
email: getRequiredEnv("DEV_USER_EMAIL"),
|
|
password: getRequiredEnv("DEV_USER_PASSWORD"),
|
|
};
|
|
|
|
const ADMIN_USER = {
|
|
email: getRequiredEnv("DEV_ADMIN_EMAIL"),
|
|
password: getRequiredEnv("DEV_ADMIN_PASSWORD"),
|
|
};
|
|
|
|
// Helper to clear auth cookies
|
|
async function clearAuth(page: Page) {
|
|
await page.context().clearCookies();
|
|
}
|
|
|
|
// Helper to login a user
|
|
async function loginUser(page: Page, email: string, password: string) {
|
|
await page.goto("/login");
|
|
await page.fill('input[type="email"]', email);
|
|
await page.fill('input[type="password"]', password);
|
|
await page.click('button[type="submit"]');
|
|
// Wait for navigation away from login page
|
|
await page.waitForURL((url) => !url.pathname.includes("/login"), { timeout: 10000 });
|
|
}
|
|
|
|
// Setup: Users are pre-seeded via seed.py before e2e tests run
|
|
// The seed script creates:
|
|
// - A regular user (DEV_USER_EMAIL/PASSWORD) with "regular" role
|
|
// - An admin user (DEV_ADMIN_EMAIL/PASSWORD) with "admin" role
|
|
test.beforeAll(async () => {
|
|
// No need to create users - they are seeded by scripts/e2e.sh
|
|
});
|
|
|
|
test.describe("Regular User Access", () => {
|
|
test.beforeEach(async ({ page }) => {
|
|
await clearAuth(page);
|
|
await loginUser(page, REGULAR_USER.email, REGULAR_USER.password);
|
|
});
|
|
|
|
test("can access exchange and trades pages with correct navigation", async ({ page }) => {
|
|
// Test redirect from home
|
|
await page.goto("/");
|
|
await expect(page).toHaveURL("/exchange");
|
|
|
|
// Test exchange page access
|
|
await page.goto("/exchange");
|
|
await expect(page).toHaveURL("/exchange");
|
|
await expect(page.getByText("Exchange Bitcoin")).toBeVisible();
|
|
|
|
// Test trades page access
|
|
await page.goto("/trades");
|
|
await expect(page).toHaveURL("/trades");
|
|
await expect(page.getByRole("heading", { name: "My Trades" })).toBeVisible();
|
|
|
|
// Test navigation shows exchange and trades, but not admin links
|
|
await expect(page.locator('a[href="/exchange"]').first()).toBeVisible();
|
|
const adminTradesLinks = page.locator('a[href="/admin/trades"]');
|
|
await expect(adminTradesLinks).toHaveCount(0);
|
|
});
|
|
});
|
|
|
|
test.describe("Admin User Access", () => {
|
|
test.beforeEach(async ({ page }) => {
|
|
await clearAuth(page);
|
|
await loginUser(page, ADMIN_USER.email, ADMIN_USER.password);
|
|
});
|
|
|
|
test("can access admin pages with correct navigation", async ({ page }) => {
|
|
// Test redirect from home
|
|
await page.goto("/");
|
|
await expect(page).toHaveURL("/admin/trades");
|
|
|
|
// Test admin trades page
|
|
await page.goto("/admin/trades");
|
|
await expect(page).toHaveURL("/admin/trades");
|
|
await expect(page.getByRole("heading", { name: "Trades" })).toBeVisible();
|
|
|
|
// Test admin availability page
|
|
await page.goto("/admin/availability");
|
|
await expect(page).toHaveURL("/admin/availability");
|
|
await expect(page.getByRole("heading", { name: "Availability" })).toBeVisible();
|
|
|
|
// Test navigation shows admin links but not regular user links
|
|
await page.goto("/admin/trades");
|
|
await expect(page.locator('a[href="/admin/invites"]')).toBeVisible();
|
|
await expect(page.locator('a[href="/admin/availability"]')).toBeVisible();
|
|
await expect(page.locator('a[href="/admin/trades"]')).toHaveCount(0); // Current page, shown as text not link
|
|
const exchangeLinks = page.locator('a[href="/exchange"]');
|
|
await expect(exchangeLinks).toHaveCount(0);
|
|
});
|
|
});
|
|
|
|
test.describe("Unauthenticated Access", () => {
|
|
test.beforeEach(async ({ page }) => {
|
|
await clearAuth(page);
|
|
});
|
|
|
|
test("all protected pages redirect to login", async ({ page }) => {
|
|
// Test home page redirect
|
|
await page.goto("/");
|
|
await expect(page).toHaveURL("/login");
|
|
|
|
// Test exchange page redirect
|
|
await page.goto("/exchange");
|
|
await expect(page).toHaveURL("/login");
|
|
|
|
// Test admin page redirect
|
|
await page.goto("/admin/trades");
|
|
await expect(page).toHaveURL("/login");
|
|
});
|
|
});
|
|
|
|
test.describe("Permission Boundary via API", () => {
|
|
test("API calls respect permission boundaries", async ({ page, request }) => {
|
|
// Test regular user cannot access admin API
|
|
await clearAuth(page);
|
|
await loginUser(page, REGULAR_USER.email, REGULAR_USER.password);
|
|
let cookies = await page.context().cookies();
|
|
let authCookie = cookies.find((c) => c.name === "auth_token");
|
|
|
|
if (authCookie) {
|
|
const response = await request.get(`${API_URL}/api/admin/trades/upcoming`, {
|
|
headers: {
|
|
Cookie: `auth_token=${authCookie.value}`,
|
|
},
|
|
});
|
|
expect(response.status()).toBe(403);
|
|
}
|
|
|
|
// Test admin cannot access regular user API
|
|
await clearAuth(page);
|
|
await loginUser(page, ADMIN_USER.email, ADMIN_USER.password);
|
|
cookies = await page.context().cookies();
|
|
authCookie = cookies.find((c) => c.name === "auth_token");
|
|
|
|
if (authCookie) {
|
|
const response = await request.get(`${API_URL}/api/exchange/price`, {
|
|
headers: {
|
|
Cookie: `auth_token=${authCookie.value}`,
|
|
},
|
|
});
|
|
expect(response.status()).toBe(403);
|
|
}
|
|
});
|
|
});
|
|
|
|
test.describe("Session and Logout", () => {
|
|
test("logout clears permissions and tampered cookies are rejected", async ({ page, context }) => {
|
|
// Test logout clears permissions
|
|
await clearAuth(page);
|
|
await loginUser(page, REGULAR_USER.email, REGULAR_USER.password);
|
|
await expect(page).toHaveURL("/exchange");
|
|
|
|
await page.click("text=Sign out");
|
|
await expect(page).toHaveURL("/login");
|
|
|
|
await page.goto("/exchange");
|
|
await expect(page).toHaveURL("/login");
|
|
|
|
// Test tampered cookie is rejected
|
|
await context.addCookies([
|
|
{
|
|
name: "auth_token",
|
|
value: "fake-token-that-should-not-work",
|
|
domain: "localhost",
|
|
path: "/",
|
|
},
|
|
]);
|
|
|
|
await page.goto("/exchange");
|
|
await expect(page).toHaveURL("/login");
|
|
});
|
|
});
|