letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
0406778c4416351f43db5d2d062739f07ddcee35
pn-new-crm/tests/e2e/smoke/05-invoices.spec.ts
Matt Ciaccio 475b051e29
All checks were successful
Build & Push Docker Images / lint (pull_request) Successful in 1m0s
Details
Build & Push Docker Images / build-and-push (pull_request) Has been skipped
Details
feat(portal): replace magic-link with email/password + admin-initiated activation 
The client portal no longer uses passwordless / magic-link sign-in. Each
client now has a `portal_users` row with a scrypt-hashed password,
created by an admin from the client detail page; the admin's invite
mails an activation link that the client uses to set their own password.
Forgot-password is wired through the same token mechanism.

Schema (migration `0009_outgoing_rumiko_fujikawa.sql`):

- `portal_users` — one per client account, separate from the CRM
  `users` table (better-auth) so the auth realms stay isolated. Email
  is globally unique, password is null until activation.
- `portal_auth_tokens` — single-use activation / reset tokens. Stores
  only the SHA-256 hash so a DB compromise never leaks live tokens.

Services:

- `src/lib/portal/passwords.ts` — scrypt hash/verify (no new deps;
  uses node:crypto), token mint+hash helpers.
- `src/lib/services/portal-auth.service.ts` — createPortalUser,
  resendActivation, activateAccount, signIn (timing-safe),
  requestPasswordReset, resetPassword. Auth failures throw the new
  UnauthorizedError (401); enumeration-safe behaviour everywhere.

Routes:

- POST /api/portal/auth/sign-in — sets the existing portal JWT cookie.
- POST /api/portal/auth/forgot-password — always 200.
- POST /api/portal/auth/reset-password — token + new password.
- POST /api/portal/auth/activate — token + initial password.
- POST /api/v1/clients/:id/portal-user — admin invite (and `?action=resend`).
- Removed: /api/portal/auth/request, /api/portal/auth/verify (magic link).

UI:

- /portal/login — replaced email-only magic-link form with email +
  password + "forgot password" link.
- /portal/forgot-password, /portal/reset-password, /portal/activate — new.
- New shared `PasswordSetForm` component used by activate + reset.
- New `PortalInviteButton` rendered on the client detail header.

Email send:

- `createTransporter` now wires SMTP auth when SMTP_USER+SMTP_PASS are
  set (gmail app-password or marina-server creds, configured via env).
- `SMTP_FROM` env var lets the sender address be overridden without
  pinning it to `noreply@${SMTP_HOST}`.

Tests:

- Smoke spec 17 (client-portal) updated to the new flow: 7/7 green.
- Smoke specs 02-crud-spine, 05-invoices, 20-critical-path updated to
  match the post-refactor client + invoice forms (drop companyName,
  use OwnerPicker + billingEmail).
- Vitest 652/652 still green; type-check clean.

Drops the dead `requestMagicLink` from portal.service.ts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 15:34:02 +02:00

125 lines
4.8 KiB
TypeScript
Raw Blame History

import { test, expect } from '@playwright/test';
import { login, navigateTo, apiHeaders, PORT_SLUG } from './helpers';
test.describe('Invoicing', () => {
test.beforeEach(async ({ page }) => {
await login(page, 'super_admin');
});
test('navigate to invoices page', async ({ page }) => {
await navigateTo(page, '/invoices');
await page.waitForLoadState('networkidle');
const heading = page.getByText(/invoices/i).first();
await expect(heading).toBeVisible({ timeout: 10_000 });
});
test('create a new invoice with 3 line items', async ({ page }) => {
// Seed a client via API to pick in the billing-entity picker.
const clientName = `Invoice Test Client ${Date.now()}`;
const createRes = await page.request.post('/api/v1/clients', {
headers: await apiHeaders(page),
data: {
fullName: clientName,
contacts: [{ channel: 'email', value: 'billing@test.com', isPrimary: true }],
},
});
expect(createRes.ok(), `client create returned ${createRes.status()}`).toBe(true);
await navigateTo(page, '/invoices');
await page.waitForLoadState('networkidle');
const newBtn = page
.getByRole('link', { name: /new invoice/i })
.first()
.or(page.getByRole('button', { name: /new invoice/i }).first());
await newBtn.first().click();
await page.waitForURL(`**/${PORT_SLUG}/invoices/new**`, { timeout: 10_000 });
// Step 1: pick the client in the OwnerPicker. The trigger renders as a
// button with role="combobox" and the placeholder "Select owner..." while
// empty.
const ownerTrigger = page.locator('button[role="combobox"]:has-text("Select owner")').first();
await expect(ownerTrigger).toBeVisible({ timeout: 5_000 });
await ownerTrigger.click();
const searchInput = page.getByPlaceholder(/search clients/i);
await expect(searchInput).toBeVisible({ timeout: 5_000 });
await searchInput.fill(clientName);
await page.waitForTimeout(500); // let the debounced query fire
await page.getByRole('option', { name: clientName }).first().click();
await page.fill('#billingEmail', 'billing@test.com');
const dueDate = new Date();
dueDate.setDate(dueDate.getDate() + 30);
await page.fill('#dueDate', dueDate.toISOString().split('T')[0]!);
await page.getByRole('button', { name: /next/i }).click();
await page.waitForTimeout(1000);
for (let i = 0; i < 3; i++) {
await page.getByRole('button', { name: /add line item/i }).click();
await page.waitForTimeout(300);
}
await page.locator('input[name="lineItems.0.description"]').fill('Berth Rental - Annual');
await page.locator('input[name="lineItems.0.quantity"]').fill('1');
await page.locator('input[name="lineItems.0.unitPrice"]').fill('50000');
await page.locator('input[name="lineItems.1.description"]').fill('Utilities Package');
await page.locator('input[name="lineItems.1.quantity"]').fill('12');
await page.locator('input[name="lineItems.1.unitPrice"]').fill('150');
await page.locator('input[name="lineItems.2.description"]').fill('Maintenance Fee');
await page.locator('input[name="lineItems.2.quantity"]').fill('4');
await page.locator('input[name="lineItems.2.unitPrice"]').fill('500');
await expect(page.getByText(/53[,.]?800/).first()).toBeVisible({ timeout: 5_000 });
await page.getByRole('button', { name: /^next$/i }).click();
const createBtn = page.getByRole('button', { name: /create invoice/i });
await expect(createBtn).toBeVisible({ timeout: 10_000 });
await expect(page.getByText(/53[,.]?800/).first()).toBeVisible();
await createBtn.click();
await page.waitForURL(
(url) => url.pathname.includes('/invoices') && !url.pathname.includes('/new'),
{ timeout: 15_000 },
);
});
test('invoice shows as Draft', async ({ page }) => {
await navigateTo(page, '/invoices');
await page.waitForLoadState('networkidle');
await page.waitForTimeout(2000);
await expect(page.getByText(/draft/i).first()).toBeVisible({ timeout: 10_000 });
});
test('invoice detail page loads', async ({ page }) => {
await navigateTo(page, '/invoices');
await page.waitForLoadState('networkidle');
await page.waitForTimeout(2000);
// Click into the first invoice
const invoiceLink = page.locator('table a, table [role="link"]').first();
if (await invoiceLink.isVisible({ timeout: 5_000 }).catch(() => false)) {
await invoiceLink.click();
await page.waitForTimeout(3000);
const url = page.url();
expect(url.includes('/invoices/')).toBeTruthy();
} else {
// Try clicking the first row
const row = page.locator('table tbody tr').first();
if (await row.isVisible({ timeout: 3_000 }).catch(() => false)) {
await row.click();
await page.waitForTimeout(3000);
}
}
});
});
Reference in New Issue View Git Blame Copy Permalink