larvit/plainpages
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
521c09fa2d86ee7c5453cff2cf8cdf21d1c61565
plainpages/e2e/auth-refresh.spec.ts

104 lines
5.6 KiB
TypeScript
Raw Blame History

import { expect, test } from "@playwright/test";
// Full-stack auth E2E: token timeout + silent re-mint ("stay signed in", §4). Runs against the
// real Ory stack via compose.e2e-auth.yml, where the session→JWT TTL is shortened to 8s and the
// web clock skew is 0 — so the ~10m token lapses in seconds and the hot path re-mints it from the
// still-live Kratos session. We drive the flow over HTTP (fetch, manual cookies) because Kratos
// and web sit on different hosts here; web's own server-side cookie relay is what we exercise.
// The browser-UI login is owned by §8; this proves the timeout/refresh server behaviour end-to-end.
const WEB = process.env.BASE_URL ?? "http://web:3000";
const KRATOS = process.env.KRATOS_PUBLIC_URL ?? "http://kratos:4433";
const KRATOS_ADMIN = process.env.KRATOS_ADMIN_URL ?? "http://kratos:4434";
const ADMIN_EMAIL = "admin@plainpages.local"; // seeded by bootstrap (§3); admin role granted in Keto
const ADMIN_PASSWORD = "admin";
const sleep = (ms: number): Promise<void> => new Promise((r) => setTimeout(r, ms));
// The full Set-Cookie line for `name`, or undefined. (cleared cookies carry Max-Age=0 + empty value.)
function setCookieLine(res: Response, name: string): string | undefined {
return res.headers.getSetCookie().find((c) => c.startsWith(`${name}=`));
}
function cookieValue(line: string): string {
return line.split(";", 1)[0]!.slice(line.indexOf("=") + 1);
}
// Build a "name=value; …" Cookie header from a response's Set-Cookie lines (skips cleared ones).
function relayCookies(res: Response): string {
return res.headers
.getSetCookie()
.map((c) => c.split(";", 1)[0]!)
.filter((kv) => kv.split("=")[1] !== "")
.join("; ");
}
// Read a JWT's claims without verifying (web already verified it; we only inspect exp/roles).
function jwtClaims(jwt: string): { email: string; exp: number; roles: string[]; sub: string } {
return JSON.parse(Buffer.from(jwt.split(".")[1]!, "base64url").toString());
}
// Authenticate the seeded admin via Kratos' browser login flow (JSON), return its session cookie value.
async function kratosLogin(): Promise<string> {
const init = await fetch(`${KRATOS}/self-service/login/browser`, { headers: { accept: "application/json" } });
expect(init.ok, `init login flow: ${init.status}`).toBeTruthy();
const flow = await init.json();
const csrf = flow.ui.nodes.find((n: { attributes?: { name?: string } }) => n.attributes?.name === "csrf_token");
const submit = await fetch(flow.ui.action, {
body: JSON.stringify({ csrf_token: csrf?.attributes?.value ?? "", identifier: ADMIN_EMAIL, method: "password", password: ADMIN_PASSWORD }),
headers: { accept: "application/json", "content-type": "application/json", cookie: relayCookies(init) },
method: "POST",
redirect: "manual",
});
expect(submit.status, `login submit: ${await submit.text()}`).toBe(200);
const session = setCookieLine(submit, "plainpages_session");
expect(session, "Kratos sets the session cookie on login").toBeTruthy();
return cookieValue(session!);
}
// Hit web's home with the given cookies (no redirect-follow so we can read its Set-Cookie).
function hitWeb(session: string, jwt: string): Promise<Response> {
return fetch(`${WEB}/`, { headers: { cookie: `plainpages_session=${session}; plainpages_jwt=${jwt}` }, redirect: "manual" });
}
// Poll web until it (re-)sets plainpages_jwt — i.e. the token has lapsed and the hot path acted:
// a live session re-mints a fresh token; a dead one clears the cookie.
async function awaitJwtSetCookie(session: string, jwt: string): Promise<string> {
const deadline = Date.now() + 20_000;
while (Date.now() < deadline) {
const line = setCookieLine(await hitWeb(session, jwt), "plainpages_jwt");
if (line) return line;
await sleep(1000);
}
throw new Error("timed out waiting for web to act on the expired token");
}
test("an expired session JWT is silently re-minted while Kratos lives, then cleared once it dies", async () => {
test.setTimeout(90_000); // two short-TTL windows (8s each) + Ory round-trips
// 1. Log in for real, then complete login on web → our session JWT (roles read from Keto).
const session = await kratosLogin();
const complete = await fetch(`${WEB}/auth/complete`, { headers: { cookie: `plainpages_session=${session}` }, redirect: "manual" });
expect(complete.status, "auth/complete redirects home").toBe(303);
const jwt1Line = setCookieLine(complete, "plainpages_jwt");
expect(jwt1Line, "auth/complete sets our session JWT").toBeTruthy();
const jwt1 = cookieValue(jwt1Line!);
const claims1 = jwtClaims(jwt1);
expect(claims1.email).toBe(ADMIN_EMAIL);
expect(claims1.sub, "sub is the Kratos identity id").toBeTruthy();
expect(claims1.roles, "roles are projected from Keto").toContain("admin");
// 2. Token timeout → refresh: once the 8s TTL lapses, the next request re-mints a fresh JWT.
const jwt2Line = await awaitJwtSetCookie(session, jwt1);
const jwt2 = cookieValue(jwt2Line!);
expect(jwt2, "a different token was minted").not.toBe(jwt1);
const claims2 = jwtClaims(jwt2);
expect(claims2.exp, "the new token expires later").toBeGreaterThan(claims1.exp);
expect(claims2.roles, "re-mint re-reads roles from Keto").toContain("admin");
// 3. Kill the Kratos session: now the lapsed token cannot refresh — the cookie is cleared.
const revoke = await fetch(`${KRATOS_ADMIN}/admin/identities/${claims1.sub}/sessions`, { method: "DELETE" });
expect([204, 404]).toContain(revoke.status);
const clearedLine = await awaitJwtSetCookie(session, jwt2);
expect(cookieValue(clearedLine), "the stale JWT cookie is emptied").toBe("");
expect(clearedLine, "and expired (Max-Age=0)").toMatch(/Max-Age=0/i);
});
Reference in New Issue View Git Blame Copy Permalink