larvit/plainpages
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

§8 full browser E2E (todo §8); the real Playwright UI against the live stack — the browser-UI flows the earlier full-stack suites deferred here. New e2e/full-flow.spec.ts + compose.e2e-full.yml covering password login, mocked SSO, menu filtering by role, users/groups/roles CRUD, a permission-gated plugin page, and logout (6/6 green on a clean stack, then torn down). Same-origin gateway (e2e/proxy.mjs, stdlib reverse proxy) fronts web + Kratos on one host so the browser's cookies round-trip (the themed form posts straight to Kratos); ory/kratos/e2e-proxy.yml points Kratos at it + --dev so cookies aren't Secure over http. SSO backed by a stdlib mock OIDC provider (e2e/mock-oidc.mjs, RS256 id_token, nonce-bound codes). Found + fixed a real bug the E2E surfaced: the SSO submit button shares the form with the required email/password fields, so HTML5 validation blocked it — added formnovalidate to the SSO buttons (auth-card.ejs), tests-first. Stability-reviewer APPROVE, no Critical/High (every dev/insecure knob is e2e-overlay-scoped, base/prod compose unaffected). typecheck + 305 units green. Also marks the §8 E2E-harness item (full stack up + seeded admin/Keto roles + tear-down).

Browse Source
This commit is contained in:
Lilleman auf Larv
2026-06-19 19:28:17 +02:00
parent 1961a4c163
commit 9d77f6ad17
10 changed files with 378 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
ory/kratos/e2e-proxy.yml Normal file
View File

@@ -0,0 +1,40 @@
# Browser-E2E overlay (compose.e2e-full.yml) — merged after kratos.yml via a second `-c`. The
# full-flow suite drives the real browser, so web + Kratos must share one origin (the `proxy`
# gateway, e2e/proxy.mjs). Point Kratos' public base_url and every self-service URL at that host so
# the flow action, the session cookie, and the after-login redirect all stay same-origin as the
# browser sees them. The normal (10m) tokenizer TTL from kratos.yml is kept — no re-mint mid-test.
serve:
public:
base_url: http://proxy/
selfservice:
default_browser_return_url: http://proxy/
allowed_return_urls:
- http://proxy
flows:
error:
ui_url: http://proxy/error
login:
ui_url: http://proxy/login
after:
default_browser_return_url: http://proxy/auth/complete
registration:
ui_url: http://proxy/registration
after:
# First SSO login auto-registers the identity: log it in (session) and route through our
# completion route so the JWT is minted, same as a password login.
default_browser_return_url: http://proxy/auth/complete
oidc:
hooks:
- hook: session
settings:
ui_url: http://proxy/settings
recovery:
ui_url: http://proxy/recovery
verification:
ui_url: http://proxy/verification
after:
default_browser_return_url: http://proxy/
logout:
after:
default_browser_return_url: http://proxy/login