§8 full browser E2E (todo §8); the real Playwright UI against the live stack — the browser-UI flows the earlier full-stack suites deferred here. New e2e/full-flow.spec.ts + compose.e2e-full.yml covering password login, mocked SSO, menu filtering by role, users/groups/roles CRUD, a permission-gated plugin page, and logout (6/6 green on a clean stack, then torn down). Same-origin gateway (e2e/proxy.mjs, stdlib reverse proxy) fronts web + Kratos on one host so the browser's cookies round-trip (the themed form posts straight to Kratos); ory/kratos/e2e-proxy.yml points Kratos at it + --dev so cookies aren't Secure over http. SSO backed by a stdlib mock OIDC provider (e2e/mock-oidc.mjs, RS256 id_token, nonce-bound codes). Found + fixed a real bug the E2E surfaced: the SSO submit button shares the form with the required email/password fields, so HTML5 validation blocked it — added formnovalidate to the SSO buttons (auth-card.ejs), tests-first. Stability-reviewer APPROVE, no Critical/High (every dev/insecure knob is e2e-overlay-scoped, base/prod compose unaffected). typecheck + 305 units green. Also marks the §8 E2E-harness item (full stack up + seeded admin/Keto roles + tear-down).
This commit is contained in:
76
e2e/mock-oidc.mjs
Normal file
76
e2e/mock-oidc.mjs
Normal file
@@ -0,0 +1,76 @@
|
||||
// Mock OIDC provider for the SSO browser E2E (todo §8) — a stand-in for Google/etc. so the test
|
||||
// never leaves the compose network. Auto-approves /authorize (no provider login UI), then signs an
|
||||
// RS256 id_token Kratos verifies against /jwks. stdlib only, in-memory, NOT app code. The single
|
||||
// host (mock-oidc:9000) is reachable by both the browser (/authorize) and Kratos (token/jwks).
|
||||
import { createServer } from "node:http";
|
||||
import { createSign, generateKeyPairSync, randomUUID } from "node:crypto";
|
||||
|
||||
const ISSUER = process.env.ISSUER ?? "http://mock-oidc:9000";
|
||||
const CLIENT_ID = process.env.CLIENT_ID ?? "plainpages-e2e";
|
||||
const EMAIL = process.env.SSO_EMAIL ?? "sso-user@plainpages.local";
|
||||
const PORT = Number(process.env.PORT ?? 9000);
|
||||
const KID = "mock-1";
|
||||
|
||||
// One signing key for the process; its public half is published at /jwks for Kratos to verify with.
|
||||
const { privateKey, publicKey } = generateKeyPairSync("rsa", { modulusLength: 2048 });
|
||||
const jwk = { ...publicKey.export({ format: "jwk" }), alg: "RS256", kid: KID, use: "sig" };
|
||||
|
||||
const b64 = (o) => Buffer.from(JSON.stringify(o)).toString("base64url");
|
||||
function idToken(nonce) {
|
||||
const now = Math.floor(Date.now() / 1000);
|
||||
const header = b64({ alg: "RS256", kid: KID, typ: "JWT" });
|
||||
const payload = b64({
|
||||
aud: CLIENT_ID, email: EMAIL, email_verified: true, exp: now + 600, family_name: "User",
|
||||
given_name: "SSO", iat: now, iss: ISSUER, name: "SSO User", nonce, sub: "mock-subject-1",
|
||||
});
|
||||
const sig = createSign("RSA-SHA256").update(`${header}.${payload}`).end().sign(privateKey).toString("base64url");
|
||||
return `${header}.${payload}.${sig}`;
|
||||
}
|
||||
|
||||
const codes = new Map(); // single-use auth code → the nonce Kratos sent (echoed into the id_token)
|
||||
const json = (res, body) => { res.writeHead(200, { "content-type": "application/json" }); res.end(JSON.stringify(body)); };
|
||||
|
||||
createServer((req, res) => {
|
||||
const url = new URL(req.url ?? "/", ISSUER);
|
||||
const p = url.pathname;
|
||||
|
||||
if (p === "/.well-known/openid-configuration") {
|
||||
return json(res, {
|
||||
authorization_endpoint: `${ISSUER}/authorize`, id_token_signing_alg_values_supported: ["RS256"],
|
||||
issuer: ISSUER, jwks_uri: `${ISSUER}/jwks`, response_types_supported: ["code"],
|
||||
scopes_supported: ["openid", "email"], subject_types_supported: ["public"],
|
||||
token_endpoint: `${ISSUER}/token`, userinfo_endpoint: `${ISSUER}/userinfo`,
|
||||
});
|
||||
}
|
||||
if (p === "/jwks") return json(res, { keys: [jwk] });
|
||||
|
||||
// Auto-approve: no login screen — mint a code bound to Kratos' nonce and bounce to the redirect_uri.
|
||||
if (p === "/authorize") {
|
||||
const code = randomUUID();
|
||||
codes.set(code, url.searchParams.get("nonce") ?? "");
|
||||
const back = new URL(url.searchParams.get("redirect_uri") ?? `${ISSUER}/`);
|
||||
back.searchParams.set("code", code);
|
||||
const state = url.searchParams.get("state");
|
||||
if (state) back.searchParams.set("state", state);
|
||||
res.writeHead(302, { location: back.toString() }).end();
|
||||
return;
|
||||
}
|
||||
|
||||
if (p === "/token" && req.method === "POST") {
|
||||
let body = "";
|
||||
req.on("data", (c) => (body += c));
|
||||
req.on("end", () => {
|
||||
const code = new URLSearchParams(body).get("code") ?? "";
|
||||
const nonce = codes.get(code) ?? "";
|
||||
codes.delete(code);
|
||||
json(res, { access_token: randomUUID(), expires_in: 600, id_token: idToken(nonce), token_type: "Bearer" });
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
if (p === "/userinfo") {
|
||||
return json(res, { email: EMAIL, email_verified: true, family_name: "User", given_name: "SSO", name: "SSO User", sub: "mock-subject-1" });
|
||||
}
|
||||
|
||||
res.writeHead(404, { "content-type": "text/plain" }).end("not found");
|
||||
}).listen(PORT, () => console.log(`mock-oidc on :${PORT} (issuer ${ISSUER})`));
|
||||
Reference in New Issue
Block a user