feat(tests): add end-to-end tests for authentication and todos functionality

larry-xue · larry-xue · commit d30bb5341ee7 · 2026-02-09T11:16:40.000+08:00
diff --git a/apps/app/tests/e2e/auth-todo.spec.ts b/apps/app/tests/e2e/auth-todo.spec.ts
@@ -0,0 +1,71 @@
+import { expect, test, type Page } from '@playwright/test'
+
+type Credentials = {
+  email: string
+  password: string
+}
+
+const createCredentials = (): Credentials => {
+  const nonce = `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`
+  return {
+    email: `playwright-${nonce}@example.com`,
+    password: 'Playwright123!',
+  }
+}
+
+const signUp = async (page: Page, credentials: Credentials) => {
+  await page.goto('/auth')
+  await page.getByRole('button', { name: 'Sign up' }).click()
+  await page.getByLabel('Email address').fill(credentials.email)
+  await page.getByLabel('Password').fill(credentials.password)
+  await page.getByRole('button', { name: 'Create account' }).click()
+  await expect(page).toHaveURL(/\/app\/todos$/)
+}
+
+const login = async (page: Page, credentials: Credentials) => {
+  await page.goto('/auth')
+  await page.getByLabel('Email address').fill(credentials.email)
+  await page.getByLabel('Password').fill(credentials.password)
+  await page.getByRole('button', { name: 'Sign in' }).click()
+  await expect(page).toHaveURL(/\/app\/todos$/)
+}
+
+test.describe('auth and todos', () => {
+  test('supports sign up and sign in', async ({ page }) => {
+    const credentials = createCredentials()
+
+    await signUp(page, credentials)
+    await page.getByRole('button', { name: 'Sign out' }).click()
+    await expect(page).toHaveURL(/\/auth$/)
+
+    await login(page, credentials)
+    await expect(page.getByRole('button', { name: 'Sign out' })).toBeVisible()
+  })
+
+  test('supports todo create, toggle, edit and delete', async ({ page }) => {
+    const credentials = createCredentials()
+    const initialTitle = `todo-${Date.now()}`
+    const updatedTitle = `${initialTitle}-updated`
+
+    await signUp(page, credentials)
+
+    const input = page.getByPlaceholder('Add a new task')
+    await input.fill(initialTitle)
+    await page.getByRole('button', { name: 'Add todo' }).click()
+
+    const item = page.locator('li', { hasText: initialTitle })
+    await expect(item).toBeVisible()
+
+    await item.getByRole('button', { name: 'Mark as done' }).click()
+    await expect(item.getByRole('button', { name: 'Mark as not done' })).toBeVisible()
+
+    await item.getByRole('button', { name: 'Edit' }).click()
+    await item.getByRole('textbox').fill(updatedTitle)
+    await item.getByRole('button', { name: 'Save' }).click()
+    await expect(page.locator('li', { hasText: updatedTitle })).toBeVisible()
+
+    const updatedItem = page.locator('li', { hasText: updatedTitle })
+    await updatedItem.getByRole('button', { name: 'Delete' }).click()
+    await expect(updatedItem).toHaveCount(0)
+  })
+})
diff --git a/packages/api/src/auth.ts b/packages/api/src/auth.ts
@@ -1,4 +1,4 @@
-import { jwtVerify } from 'jose'
+import { createRemoteJWKSet, decodeProtectedHeader, jwtVerify } from 'jose'
 
 type RuntimeEnv = Record<string, string | undefined>
 const getRuntimeEnv = (): RuntimeEnv =>
@@ -14,7 +14,11 @@ const getJwtSecret = () => {
 
 const getJwtIssuer = () => {
   const issuer = getRuntimeEnv().SUPABASE_JWT_ISS
-  return issuer && issuer.length > 0 ? issuer : undefined
+  if (issuer && issuer.length > 0) {
+    return issuer
+  }
+
+  return null;
 }
 
 export type AuthContext = {
@@ -41,11 +45,57 @@ export const getBearerToken = (request: Request): string | null => {
   return token
 }
 
-export const verifySupabaseJwt = async (token: string): Promise<AuthContext> => {
+let remoteJwks: ReturnType<typeof createRemoteJWKSet> | null = null
+
+const getJwksUrl = () => {
+  const explicit = getRuntimeEnv().SUPABASE_JWKS_URL
+  if (explicit && explicit.length > 0) {
+    return explicit
+  }
+
   const issuer = getJwtIssuer()
-  const { payload } = await jwtVerify(token, getJwtSecret(),
-    issuer ? { issuer } : undefined,
-  )
+  if (!issuer) {
+    return undefined
+  }
+
+  return `${issuer.replace(/\/$/, '')}/.well-known/jwks.json`
+}
+
+const getRemoteJwks = () => {
+  if (remoteJwks) {
+    return remoteJwks
+  }
+
+  const jwksUrl = getJwksUrl()
+  if (!jwksUrl) {
+    throw new Error('SUPABASE_JWKS_URL or SUPABASE_JWT_ISS is required')
+  }
+
+  remoteJwks = createRemoteJWKSet(new URL(jwksUrl))
+  return remoteJwks
+}
+
+const verifyWithSharedSecret = async (token: string) => {
+  const issuer = getJwtIssuer()
+  return jwtVerify(token, getJwtSecret(), issuer ? { issuer } : undefined)
+}
+
+const verifyWithJwks = async (token: string) => {
+  const issuer = getJwtIssuer()
+  return jwtVerify(token, getRemoteJwks(), issuer ? { issuer } : undefined)
+}
+
+export const verifySupabaseJwt = async (token: string): Promise<AuthContext> => {
+  const { alg } = decodeProtectedHeader(token)
+
+  if (!alg) {
+    throw new Error('Token algorithm is missing')
+  }
+
+  const isHmac = alg.toUpperCase().startsWith('HS')
+  const { payload } = isHmac
+    ? await verifyWithSharedSecret(token)
+    : await verifyWithJwks(token)
 
   const userId = typeof payload.sub === 'string' ? payload.sub : null
   const role = typeof payload.role === 'string' ? payload.role : null
@@ -63,4 +113,4 @@ export const verifySupabaseJwt = async (token: string): Promise<AuthContext> =>
     role: 'authenticated',
     token,
   }
-}
+}
diff --git a/packages/api/src/plugins/auth.ts b/packages/api/src/plugins/auth.ts
@@ -10,7 +10,7 @@ export type AuthContext = SupabaseAuthContext
 
 const authPlugin = new Elysia()
   .derive(
-    { as: 'scoped' },
+    { as: 'global' },
     async ({ request }): Promise<{ auth: AuthContext | null }> => {
     const token = getBearerToken(request)
     if (!token) {
diff --git a/playwright.config.ts b/playwright.config.ts
@@ -26,7 +26,7 @@ export default defineConfig({
   /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */
   use: {
     /* Base URL to use in actions like `await page.goto('')`. */
-    baseURL: process.env.PLAYWRIGHT_BASE_URL ?? 'http://127.0.0.1:5173',
+    baseURL: process.env.PLAYWRIGHT_BASE_URL ?? 'http://127.0.0.1:8878',
     locale: 'en-US',
 
     /* Collect trace when retrying the failed test. See https://playwright.dev/docs/trace-viewer */
@@ -74,10 +74,18 @@ export default defineConfig({
   ],
 
   /* Run your local dev server before starting the tests */
-  webServer: {
-    command: 'pnpm --filter app dev',
-    url: 'http://127.0.0.1:8878',
-    reuseExistingServer: !process.env.CI,
-    timeout: 120 * 1000,
-  },
+  webServer: [
+    {
+      command: 'pnpm --dir packages/api run dev',
+      url: 'http://127.0.0.1:54545/health',
+      reuseExistingServer: !process.env.CI,
+      timeout: 120 * 1000,
+    },
+    {
+      command: 'pnpm --dir apps/app run dev',
+      url: process.env.PLAYWRIGHT_BASE_URL ?? 'http://127.0.0.1:8878',
+      reuseExistingServer: !process.env.CI,
+      timeout: 120 * 1000,
+    },
+  ],
 });
