E2E for token timeout + refresh (todo §4); full-stack auth-refresh.spec.ts (real Ory stack): a lapsed session JWT is silently re-minted from the live Kratos session (roles re-read from Keto), and cleared once the session is revoked; ory/kratos/e2e.yml shortens the tokenizer ttl to 8s + adds JWT_CLOCK_SKEW_SEC config so re-mint fires at expiry; scope visual suite to visual.spec.ts
This commit is contained in:
103
e2e/auth-refresh.spec.ts
Normal file
103
e2e/auth-refresh.spec.ts
Normal file
@@ -0,0 +1,103 @@
|
||||
import { expect, test } from "@playwright/test";
|
||||
|
||||
// Full-stack auth E2E: token timeout + silent re-mint ("stay signed in", §4). Runs against the
|
||||
// real Ory stack via compose.e2e-auth.yml, where the session→JWT TTL is shortened to 8s and the
|
||||
// web clock skew is 0 — so the ~10m token lapses in seconds and the hot path re-mints it from the
|
||||
// still-live Kratos session. We drive the flow over HTTP (fetch, manual cookies) because Kratos
|
||||
// and web sit on different hosts here; web's own server-side cookie relay is what we exercise.
|
||||
// The browser-UI login is owned by §8; this proves the timeout/refresh server behaviour end-to-end.
|
||||
const WEB = process.env.BASE_URL ?? "http://web:3000";
|
||||
const KRATOS = process.env.KRATOS_PUBLIC_URL ?? "http://kratos:4433";
|
||||
const KRATOS_ADMIN = process.env.KRATOS_ADMIN_URL ?? "http://kratos:4434";
|
||||
const ADMIN_EMAIL = "admin@plainpages.local"; // seeded by bootstrap (§3); admin role granted in Keto
|
||||
const ADMIN_PASSWORD = "admin";
|
||||
|
||||
const sleep = (ms: number): Promise<void> => new Promise((r) => setTimeout(r, ms));
|
||||
|
||||
// The full Set-Cookie line for `name`, or undefined. (cleared cookies carry Max-Age=0 + empty value.)
|
||||
function setCookieLine(res: Response, name: string): string | undefined {
|
||||
return res.headers.getSetCookie().find((c) => c.startsWith(`${name}=`));
|
||||
}
|
||||
function cookieValue(line: string): string {
|
||||
return line.split(";", 1)[0]!.slice(line.indexOf("=") + 1);
|
||||
}
|
||||
// Build a "name=value; …" Cookie header from a response's Set-Cookie lines (skips cleared ones).
|
||||
function relayCookies(res: Response): string {
|
||||
return res.headers
|
||||
.getSetCookie()
|
||||
.map((c) => c.split(";", 1)[0]!)
|
||||
.filter((kv) => kv.split("=")[1] !== "")
|
||||
.join("; ");
|
||||
}
|
||||
// Read a JWT's claims without verifying (web already verified it; we only inspect exp/roles).
|
||||
function jwtClaims(jwt: string): { email: string; exp: number; roles: string[]; sub: string } {
|
||||
return JSON.parse(Buffer.from(jwt.split(".")[1]!, "base64url").toString());
|
||||
}
|
||||
|
||||
// Authenticate the seeded admin via Kratos' browser login flow (JSON), return its session cookie value.
|
||||
async function kratosLogin(): Promise<string> {
|
||||
const init = await fetch(`${KRATOS}/self-service/login/browser`, { headers: { accept: "application/json" } });
|
||||
expect(init.ok, `init login flow: ${init.status}`).toBeTruthy();
|
||||
const flow = await init.json();
|
||||
const csrf = flow.ui.nodes.find((n: { attributes?: { name?: string } }) => n.attributes?.name === "csrf_token");
|
||||
const submit = await fetch(flow.ui.action, {
|
||||
body: JSON.stringify({ csrf_token: csrf?.attributes?.value ?? "", identifier: ADMIN_EMAIL, method: "password", password: ADMIN_PASSWORD }),
|
||||
headers: { accept: "application/json", "content-type": "application/json", cookie: relayCookies(init) },
|
||||
method: "POST",
|
||||
redirect: "manual",
|
||||
});
|
||||
expect(submit.status, `login submit: ${await submit.text()}`).toBe(200);
|
||||
const session = setCookieLine(submit, "plainpages_session");
|
||||
expect(session, "Kratos sets the session cookie on login").toBeTruthy();
|
||||
return cookieValue(session!);
|
||||
}
|
||||
|
||||
// Hit web's home with the given cookies (no redirect-follow so we can read its Set-Cookie).
|
||||
function hitWeb(session: string, jwt: string): Promise<Response> {
|
||||
return fetch(`${WEB}/`, { headers: { cookie: `plainpages_session=${session}; plainpages_jwt=${jwt}` }, redirect: "manual" });
|
||||
}
|
||||
|
||||
// Poll web until it (re-)sets plainpages_jwt — i.e. the token has lapsed and the hot path acted:
|
||||
// a live session re-mints a fresh token; a dead one clears the cookie.
|
||||
async function awaitJwtSetCookie(session: string, jwt: string): Promise<string> {
|
||||
const deadline = Date.now() + 20_000;
|
||||
while (Date.now() < deadline) {
|
||||
const line = setCookieLine(await hitWeb(session, jwt), "plainpages_jwt");
|
||||
if (line) return line;
|
||||
await sleep(1000);
|
||||
}
|
||||
throw new Error("timed out waiting for web to act on the expired token");
|
||||
}
|
||||
|
||||
test("an expired session JWT is silently re-minted while Kratos lives, then cleared once it dies", async () => {
|
||||
test.setTimeout(90_000); // two short-TTL windows (8s each) + Ory round-trips
|
||||
|
||||
// 1. Log in for real, then complete login on web → our session JWT (roles read from Keto).
|
||||
const session = await kratosLogin();
|
||||
const complete = await fetch(`${WEB}/auth/complete`, { headers: { cookie: `plainpages_session=${session}` }, redirect: "manual" });
|
||||
expect(complete.status, "auth/complete redirects home").toBe(303);
|
||||
const jwt1Line = setCookieLine(complete, "plainpages_jwt");
|
||||
expect(jwt1Line, "auth/complete sets our session JWT").toBeTruthy();
|
||||
const jwt1 = cookieValue(jwt1Line!);
|
||||
|
||||
const claims1 = jwtClaims(jwt1);
|
||||
expect(claims1.email).toBe(ADMIN_EMAIL);
|
||||
expect(claims1.sub, "sub is the Kratos identity id").toBeTruthy();
|
||||
expect(claims1.roles, "roles are projected from Keto").toContain("admin");
|
||||
|
||||
// 2. Token timeout → refresh: once the 8s TTL lapses, the next request re-mints a fresh JWT.
|
||||
const jwt2Line = await awaitJwtSetCookie(session, jwt1);
|
||||
const jwt2 = cookieValue(jwt2Line!);
|
||||
expect(jwt2, "a different token was minted").not.toBe(jwt1);
|
||||
const claims2 = jwtClaims(jwt2);
|
||||
expect(claims2.exp, "the new token expires later").toBeGreaterThan(claims1.exp);
|
||||
expect(claims2.roles, "re-mint re-reads roles from Keto").toContain("admin");
|
||||
|
||||
// 3. Kill the Kratos session: now the lapsed token cannot refresh — the cookie is cleared.
|
||||
const revoke = await fetch(`${KRATOS_ADMIN}/admin/identities/${claims1.sub}/sessions`, { method: "DELETE" });
|
||||
expect([204, 404]).toContain(revoke.status);
|
||||
|
||||
const clearedLine = await awaitJwtSetCookie(session, jwt2);
|
||||
expect(cookieValue(clearedLine), "the stale JWT cookie is emptied").toBe("");
|
||||
expect(clearedLine, "and expired (Max-Age=0)").toMatch(/Max-Age=0/i);
|
||||
});
|
||||
Reference in New Issue
Block a user