1d198acc97
The from-scratch dev login was broken: open the banner's http://localhost:3000, sign in as the seeded admin, and you landed on http://127.0.0.1:3000/error "Page not found". Root cause: the banner/APP_URL said localhost but kratos.yml hard-coded 127.0.0.1, and a host-scoped Kratos CSRF cookie can't cross localhost<->127.0.0.1, so the cross-host login POST lost it; Kratos redirected to its error sink, which the app had no route for (404). Make APP_URL the single source of truth for the public host: - Canonical-host redirect (app.ts): when APP_URL is set, an off-host GET/HEAD visitor is 308'd to it (path+query kept) before a flow starts, so the browser, the themed forms and the cross-origin Kratos POST share one cookie host. After /public/ so static/health checks stay host-agnostic; GET/HEAD only so a 308 never replays a cross-host POST. - Opt-in (no NODE_ENV / no magic default): unset => no redirect, so a prod deploy that forgets APP_URL can't bounce real users to a stale default. The dev stack sets it. - kratos.yml browser URLs default to localhost (match APP_URL's dev value) and derive from ${APP_URL} via compose.override.yml; SERVE_PUBLIC_BASE_URL keeps the dev Ory port. - Real /error page (views/error.ejs) replaces the catch-all 404 for genuine flow errors. Tests-first: config (opt-in/validated), app (308 on mismatch, no-redirect on match, static host-agnostic, POST untouched, /error page), updated kratos.test host pins. New devstack regression (e2e/devstack-login.spec + compose.e2e-devstack.yml) drives the plain docker-compose-up topology on the host network: login from localhost works and 127.0.0.1 is canonicalised; wired into scripts/ci.sh. typecheck + 360 units + full ci.sh (visual 10 · auth 1 · oauth 2 · full 7 · devstack 2) green.
103 lines
4.3 KiB
YAML
103 lines
4.3 KiB
YAML
# Full browser E2E (todo §8) — the real Playwright UI flow against the live stack: password +
|
|
# mocked-SSO login, menu filtering by role, users/groups/roles CRUD, a plugin page, logout. A tiny
|
|
# same-origin gateway (proxy, e2e/proxy.mjs) fronts web + Kratos on one host so the browser's cookies
|
|
# round-trip (ory/kratos/e2e-proxy.yml points Kratos at it); a mock OIDC provider backs the SSO test.
|
|
# docker compose -f compose.yml -f compose.e2e-full.yml run --build --rm e2e
|
|
# docker compose -f compose.yml -f compose.e2e-full.yml down -v # tear down after
|
|
services:
|
|
web:
|
|
# First-party + SSO flows need Kratos + Keto + bootstrap, not Hydra — drop it so the stack is
|
|
# leaner. SSO is enabled here only (clean clone stays password-only): the mock provider's whole
|
|
# array is the env-settable form Kratos offers, mapped through the committed claims jsonnet.
|
|
depends_on: !override
|
|
bootstrap:
|
|
condition: service_completed_successfully
|
|
kratos:
|
|
condition: service_healthy
|
|
keto:
|
|
condition: service_healthy
|
|
shifts-upstream:
|
|
condition: service_healthy
|
|
environment:
|
|
APP_URL: http://proxy # the browser reaches web through the same-origin gateway → canonical-host redirect stays inert
|
|
CACHE_TEMPLATES: "true"
|
|
REQUIRE_SECURE_SECRETS: "false"
|
|
SECURE_COOKIES: "false" # the browser hits the gateway over http — Secure cookies wouldn't be stored
|
|
healthcheck:
|
|
test: ["CMD", "wget", "-q", "-O", "-", "http://localhost:3000/public/css/styles.css"]
|
|
interval: 2s
|
|
timeout: 4s
|
|
retries: 30
|
|
|
|
# Browser-facing URLs (base_url, every ui_url, the after-login redirect) move to the gateway host.
|
|
# `--dev`: the browser hits the gateway over http, but Kratos marks cookies Secure for a
|
|
# non-loopback host like `proxy` — dev mode drops that so the session/CSRF cookies are stored.
|
|
kratos:
|
|
command: serve --dev -c /etc/config/kratos/kratos.yml -c /etc/config/kratos/e2e-proxy.yml --watch-courier
|
|
environment:
|
|
SELFSERVICE_METHODS_OIDC_ENABLED: "true"
|
|
SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS: >-
|
|
[{"id":"mock","provider":"generic","label":"Mock SSO","client_id":"plainpages-e2e","client_secret":"e2e-secret","issuer_url":"http://mock-oidc:9000","scope":["openid","email"],"mapper_url":"file:///etc/config/kratos/oidc/claims.jsonnet"}]
|
|
|
|
# The reference plugin's upstream (examples/shifts-upstream) so /scheduling/shifts shows real rows.
|
|
shifts-upstream:
|
|
image: node:24.16.0-alpine3.24
|
|
command: ["node", "/server.mjs"]
|
|
volumes:
|
|
- ./examples/shifts-upstream/server.mjs:/server.mjs:ro
|
|
healthcheck:
|
|
test: ["CMD", "wget", "-q", "-O", "-", "http://localhost:4000/shifts"]
|
|
interval: 2s
|
|
timeout: 4s
|
|
retries: 15
|
|
|
|
# Mock OIDC provider for the SSO login test — stdlib Node, auto-approves, signs an id_token Kratos
|
|
# verifies via its jwks. Reachable as the same host (mock-oidc:9000) by both the browser and Kratos.
|
|
mock-oidc:
|
|
image: node:24.16.0-alpine3.24
|
|
command: ["node", "/mock-oidc.mjs"]
|
|
environment:
|
|
ISSUER: http://mock-oidc:9000
|
|
SSO_EMAIL: sso-user@plainpages.local
|
|
volumes:
|
|
- ./e2e/mock-oidc.mjs:/mock-oidc.mjs:ro
|
|
healthcheck:
|
|
test: ["CMD", "wget", "-q", "-O", "-", "http://localhost:9000/.well-known/openid-configuration"]
|
|
interval: 2s
|
|
timeout: 4s
|
|
retries: 15
|
|
|
|
# Same-origin gateway: Kratos-owned paths → kratos, everything else → web (e2e/proxy.mjs).
|
|
proxy:
|
|
image: node:24.16.0-alpine3.24
|
|
command: ["node", "/proxy.mjs"]
|
|
depends_on:
|
|
web:
|
|
condition: service_healthy
|
|
environment:
|
|
KRATOS_URL: http://kratos:4433
|
|
WEB_URL: http://web:3000
|
|
volumes:
|
|
- ./e2e/proxy.mjs:/proxy.mjs:ro
|
|
healthcheck:
|
|
test: ["CMD", "wget", "-q", "-O", "-", "http://localhost/public/css/styles.css"]
|
|
interval: 2s
|
|
timeout: 4s
|
|
retries: 30
|
|
|
|
e2e:
|
|
build:
|
|
context: .
|
|
dockerfile: Dockerfile.e2e
|
|
command: ["npx", "playwright", "test", "full-flow.spec.ts"]
|
|
depends_on:
|
|
mock-oidc:
|
|
condition: service_healthy
|
|
proxy:
|
|
condition: service_healthy
|
|
environment:
|
|
BASE_URL: http://proxy
|
|
KRATOS_ADMIN_URL: http://kratos:4434
|
|
volumes:
|
|
- ./e2e/artifacts:/e2e/artifacts
|