letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
a32f41b91d1eb49e9a5c7a25290cbbfda21dfd38
pn-new-crm/tests/e2e/smoke/helpers.ts
Matt Ciaccio 475b051e29
All checks were successful
Build & Push Docker Images / lint (pull_request) Successful in 1m0s
Details
Build & Push Docker Images / build-and-push (pull_request) Has been skipped
Details
feat(portal): replace magic-link with email/password + admin-initiated activation 
The client portal no longer uses passwordless / magic-link sign-in. Each
client now has a `portal_users` row with a scrypt-hashed password,
created by an admin from the client detail page; the admin's invite
mails an activation link that the client uses to set their own password.
Forgot-password is wired through the same token mechanism.

Schema (migration `0009_outgoing_rumiko_fujikawa.sql`):

- `portal_users` — one per client account, separate from the CRM
  `users` table (better-auth) so the auth realms stay isolated. Email
  is globally unique, password is null until activation.
- `portal_auth_tokens` — single-use activation / reset tokens. Stores
  only the SHA-256 hash so a DB compromise never leaks live tokens.

Services:

- `src/lib/portal/passwords.ts` — scrypt hash/verify (no new deps;
  uses node:crypto), token mint+hash helpers.
- `src/lib/services/portal-auth.service.ts` — createPortalUser,
  resendActivation, activateAccount, signIn (timing-safe),
  requestPasswordReset, resetPassword. Auth failures throw the new
  UnauthorizedError (401); enumeration-safe behaviour everywhere.

Routes:

- POST /api/portal/auth/sign-in — sets the existing portal JWT cookie.
- POST /api/portal/auth/forgot-password — always 200.
- POST /api/portal/auth/reset-password — token + new password.
- POST /api/portal/auth/activate — token + initial password.
- POST /api/v1/clients/:id/portal-user — admin invite (and `?action=resend`).
- Removed: /api/portal/auth/request, /api/portal/auth/verify (magic link).

UI:

- /portal/login — replaced email-only magic-link form with email +
  password + "forgot password" link.
- /portal/forgot-password, /portal/reset-password, /portal/activate — new.
- New shared `PasswordSetForm` component used by activate + reset.
- New `PortalInviteButton` rendered on the client detail header.

Email send:

- `createTransporter` now wires SMTP auth when SMTP_USER+SMTP_PASS are
  set (gmail app-password or marina-server creds, configured via env).
- `SMTP_FROM` env var lets the sender address be overridden without
  pinning it to `noreply@${SMTP_HOST}`.

Tests:

- Smoke spec 17 (client-portal) updated to the new flow: 7/7 green.
- Smoke specs 02-crud-spine, 05-invoices, 20-critical-path updated to
  match the post-refactor client + invoice forms (drop companyName,
  use OwnerPicker + billingEmail).
- Vitest 652/652 still green; type-check clean.

Drops the dead `requestMagicLink` from portal.service.ts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 15:34:02 +02:00

127 lines
3.8 KiB
TypeScript
Raw Blame History

import { type Page, expect } from '@playwright/test';
export const PORT_SLUG = 'port-nimara';
export const USERS = {
super_admin: {
email: 'admin@portnimara.test',
password: 'SuperAdmin12345!',
},
sales_agent: {
email: 'agent@portnimara.test',
password: 'SalesAgent12345!',
},
viewer: {
email: 'viewer@portnimara.test',
password: 'ViewerUser12345!',
},
};
/**
* Log in as a specific user via the UI login page.
* Waits for the dashboard to load after successful login.
*/
export async function login(page: Page, role: keyof typeof USERS = 'super_admin') {
const user = USERS[role];
await page.goto('/login');
await page.waitForSelector('#email', { state: 'visible' });
await page.fill('#email', user.email);
await page.fill('#password', user.password);
await page.click('button[type="submit"]');
// Wait for redirect away from /login
await page.waitForURL((url) => !url.pathname.includes('/login'), {
timeout: 15_000,
});
}
/**
* Log out via the topbar user menu.
* Falls back to navigating to /login if the logout button isn't found.
*/
export async function logout(page: Page) {
// Try clicking a logout button/link if visible
const logoutBtn = page.getByRole('button', { name: /log\s?out|sign\s?out/i });
if (await logoutBtn.isVisible({ timeout: 2000 }).catch(() => false)) {
await logoutBtn.click();
await page.waitForURL('**/login**', { timeout: 10_000 });
return;
}
// Fallback: clear cookies and navigate to login
await page.context().clearCookies();
await page.goto('/login');
await page.waitForSelector('#email', { state: 'visible' });
}
/**
* Navigate to a page within the current port context.
*/
export async function navigateTo(page: Page, path: string) {
const url = `/${PORT_SLUG}${path.startsWith('/') ? path : `/${path}`}`;
await page.goto(url);
await page.waitForLoadState('networkidle');
}
/**
* Wait for a toast notification and verify its text.
*/
export async function expectToast(page: Page, textPattern: string | RegExp) {
const toast = page.locator('[data-sonner-toast]').last();
await expect(toast).toBeVisible({ timeout: 10_000 });
if (typeof textPattern === 'string') {
await expect(toast).toContainText(textPattern);
} else {
await expect(toast).toHaveText(textPattern);
}
}
/**
* Wait for a sheet (slide-in panel) to be visible.
*/
export async function waitForSheet(page: Page) {
await page.waitForSelector('[role="dialog"]', {
state: 'visible',
timeout: 5_000,
});
}
/**
* Resolve the port-nimara port ID via API.
*
* Used by tests that drive the JSON API directly with `page.request.*`.
* The server-side `withAuth` helper resolves port context from the
* `X-Port-Id` header (or the user's default-port preference), so any
* direct API call outside a port-scoped URL has to set the header. This
* caches the lookup per page so the lookup happens once.
*/
const portIdCache = new WeakMap<Page, string>();
export async function getPortId(page: Page): Promise<string> {
const cached = portIdCache.get(page);
if (cached) return cached;
const res = await page.request.get('/api/v1/admin/ports');
if (!res.ok()) {
throw new Error(`Failed to resolve port id: ${res.status()} ${await res.text()}`);
}
const body = (await res.json()) as { data?: Array<{ id: string; slug: string }> };
const port = body.data?.find((p) => p.slug === PORT_SLUG);
if (!port) {
throw new Error(`Port ${PORT_SLUG} not in admin ports response`);
}
portIdCache.set(page, port.id);
return port.id;
}
/**
* Build headers for direct JSON-API calls inside tests, including the
* `X-Port-Id` that the auth helper requires.
*/
export async function apiHeaders(page: Page): Promise<Record<string, string>> {
return {
'Content-Type': 'application/json',
'X-Port-Id': await getPortId(page),
};
}
Reference in New Issue View Git Blame Copy Permalink