Built-in OAuth2 login-challenge handler (todo §6); /oauth2/login resolves a Hydra login challenge via the Kratos session — skip→accept(subject), live session→accept(identity id), no session→bounce to /login?return_to back here so Kratos lands on the challenge once signed in. New src/hydra-admin.ts (fetch client: get/accept/reject login request + HydraError, mirrors the kratos/keto clients) + src/oauth-login.ts (pure resolveLoginChallenge); wired in app.ts (the absolute return URL derives from the request Host + the SECURE_COOKIES scheme — a spoofed Host can't escape, Kratos validates return_to against its allow-list; /login now bakes return_to into the flow init), config.hydraAdminUrl (default http://hydra:4445), server builds the client, compose web now gates on hydra healthy (the app consumes it). A stale/invalid/consumed challenge (Hydra 4xx — back button, slow login) degrades to a recoverable 400, not a 500; a genuine Hydra 5xx outage still surfaces as 500. Tests-first: hydra-admin/oauth-login units + app/config/compose HTTP integration + full-stack e2e/oauth-login.spec.ts (compose.e2e-oauth.yml — registers an OAuth2 client, starts an auth flow, asserts the unauthenticated bounce and the authenticated accept; boot-verified then torn down). Stability-reviewer run as a local PR: APPROVE, no Critical/High; addressed its one warning (4xx→400 degrade). Deferred §9: document that prod allowed_return_urls entries must be exact origins with a trailing /. typecheck + 253 units + 8 visual + oauth-login E2E green. Consent handler + client registration are the next §6 items.

2026-06-18 21:45:24 +02:00
parent bfc9f80b61
commit 3c8090e8e3
15 changed files with 524 additions and 14 deletions
--- a/compose.e2e-oauth.yml
+++ b/compose.e2e-oauth.yml
@@ -0,0 +1,45 @@
+# Full-stack OAuth2 E2E — the §6 login-challenge handler. Another app logs in *through* us:
+# Hydra starts an authorization flow and hands the browser to web's /oauth2/login; web resolves
+# it via the Kratos session and accepts. Runs against the real stack (Postgres + Kratos + Keto +
+# Hydra + bootstrap + web). The runner drives the flow over HTTP (fetch, manual cookies), so it
+# reaches the Ory services by their compose-network names.
+#   docker compose -f compose.yml -f compose.e2e-oauth.yml run --build --rm e2e
+#   docker compose -f compose.yml -f compose.e2e-oauth.yml down -v   # tear down after
+services:
+  web:
+    # Dev throwaways are fine for the test stack; the runner hits web over http.
+    environment:
+      CACHE_TEMPLATES: "true"
+      REQUIRE_SECURE_SECRETS: "false"
+      SECURE_COOKIES: "false"
+    healthcheck:
+      test: ["CMD", "wget", "-q", "-O", "-", "http://localhost:3000/"]
+      interval: 2s
+      timeout: 4s
+      retries: 30
+
+  # --dev permits the http issuer (the base file drops it for an https prod issuer).
+  hydra:
+    command: serve all --dev -c /etc/config/hydra/hydra.yml
+
+  # Point the public base_url at the compose-network host so the runner can drive the Kratos
+  # login flow over `kratos:4433` (kratos.yml's default 127.0.0.1 base_url only resolves host-side).
+  kratos:
+    environment:
+      SERVE_PUBLIC_BASE_URL: http://kratos:4433/
+
+  e2e:
+    build:
+      context: .
+      dockerfile: Dockerfile.e2e
+    depends_on:
+      web:
+        condition: service_healthy
+    environment:
+      BASE_URL: http://web:3000
+      HYDRA_ADMIN_URL: http://hydra:4445
+      HYDRA_PUBLIC_URL: http://hydra:4444
+      KRATOS_PUBLIC_URL: http://kratos:4433
+    command: ["npx", "playwright", "test", "oauth-login.spec.ts"]
+    volumes:
+      - ./e2e/artifacts:/e2e/artifacts