test(e2e): cross-browser and mobile-viewport projects #380
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!380
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "test/e2e-cross-browser-mobile"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Extends the Playwright e2e suite (
apps/e2e/) to the other shapes Carol'suniversal client targets — other browser engines, and the narrow viewport
where the sidebar collapses to a slide-in drawer. Last child of #150.
Closes #327
Refs #150
Security review: cookie
Securerelaxation (read this first)This PR weakens one cookie attribute only behind a fail-closed e2e gate —
please scrutinise that gate.
apps/api/lib/auth/cookie-security.ts:NODE_ENV === "production"Secure decision insession.ts(sessionCookieOptions),themes/cookie.ts, andoauth-cookies.ts.next start(soNODE_ENV=production)but serves over plain-HTTP
http://127.0.0.1. Firefox and WebKit refuse tostore a
Securecookie set over an insecure origin, which silently breaksthe session cookie and every authed flow under those engines.
E2E_TEST_ROUTES, the same flag thatalready gates the destructive
POST /api/test/resetroute. It is set only byapps/e2e/scripts/serve.sh, never by any real deployment. With the flagunset (every real deployment), cookies stay
Secure. The gate is the envflag alone, not
NODE_ENV, because the harness and a real deploy are bothNODE_ENV=production— aNODE_ENVcheck couldn't tell them apart.httpOnlyandSameSiteare untouched.apps/api/tests/auth/cookie-security.test.ts): true in prod withthe flag unset; false when
E2E_TEST_ROUTES=1; still true when the flag is anon-
"1"truthy value (exact match); false in dev. Env mutations arerestored via
vi.unstubAllEnvs()so the suite can't leak.semgrep scan --config p/nodejsscan --config .semgrep --error apps/api→0 findings (281 targets), so no suppression was needed.
The rest
apps/e2e/fixtures/nav.ts):gotoViaSidebar/logoutViaSidebarbranch onpage.viewportSize()width< 720px — open the drawer via the hamburger (
nav.expandSidebar) first on anarrow viewport, then act.
nav.expandSidebaradded tofixtures/strings.tsfrom the i18n catalog (no hardcoded copy).
smoke.spec.ts): its two nav clicks and log-out now gothrough the helpers, and the shell-renders assertion is viewport-aware
(hamburger on mobile vs inline log-out on desktop). Still self-registers (no
storageState).
mobile-nav.spec.ts(mobile-authed project): asserts the drawermechanics desktop can't — no permanent sidebar + hamburger on load; tap
hamburger → drawer opens → tap Profile → routes to
/profileand the drawercloses; open then dismiss via the scrim without navigating. Open/closed is
detected with
toBeInViewport()(the closed drawer sits off-screen atleft: -240px).firefox,webkit,mobile(Pixel 5) run thesmoke spec;
mobile-authed(Pixel 5 + storageState, depssetup) runsmobile-nav.spec.ts. Existing setup/chromium/smoke/admin unchanged; domain +admin specs stay Chromium-desktop.
.forgejo/workflows/pr.yml): browser install now--with-deps chromium firefox webkit.apps/e2e/README.md): documents the new projects/engines and thee2e cookie-Secure relaxation (test-only var, stays out of the README config
tables).
Verification
pnpm -F @carol/api test— 1039 passed / 231 skipped (the skips are thePostgres legs;
TEST_POSTGRES_URLunset locally — CI runs the PG matrix).New cookie-security test green.
semgrep ... apps/api— 0 findings.openapi:check+openapi:coverageclean.
pnpm -F @carol/api lint,pnpm -F @carol/e2e exec tsc --noEmit,actionlint pr.ymlall clean.pnpm -F @carol/e2e teston the Chromium-capable projects (setup, chromium,smoke, mobile, mobile-authed, admin) — 15 passed, 1 skipped (the
pre-existing profile-picture
test.fixme). Smoke passes on desktop Chromiumand the Pixel 5 drawer path; the mobile-nav spec passes.
(Fedora) is missing their system libraries and the only offered fix is
Debian
apt/sudo, unavailable in this sandbox. WebKit's launch failedpurely on missing host deps, not test logic. CI installs
--with-deps, sothe FF/WebKit smoke runs there — that is the real gate for those engines.
🤖 Generated with Claude Code
📊 Test coverage
Patch coverage: no testable lines changed.
Overall (
app/,lib/,db/, excluding UI per ADR-0019):Soft thresholds per ADR-0019. Coverage is informational and does not block merge.