feat: Security

2026-06-05 18:34:01 +02:00
parent ee293d7daf
commit 45675192a5
134 changed files with 4128 additions and 446 deletions
--- a/e2e/helpers/auth-api.ts
+++ b/e2e/helpers/auth-api.ts
@@ -0,0 +1,75 @@
+import { type APIRequestContext, type Page } from '@playwright/test';
+
+export const AUTH_TOKENS_STORAGE_KEY = 'metoyou.authTokens';
+
+export interface AuthSession {
+  id: string;
+  username: string;
+  displayName: string;
+  token: string;
+  expiresAt: number;
+}
+
+export function authHeaders(token: string): Record<string, string> {
+  return {
+    Authorization: `Bearer ${token}`,
+    'Content-Type': 'application/json'
+  };
+}
+
+export async function registerTestUser(
+  request: APIRequestContext,
+  baseUrl: string,
+  username: string,
+  password: string,
+  displayName?: string
+): Promise<AuthSession> {
+  const response = await request.post(`${baseUrl}/api/users/register`, {
+    data: {
+      username,
+      password,
+      displayName: displayName ?? username
+    }
+  });
+
+  if (!response.ok()) {
+    throw new Error(`Failed to register test user ${username}: ${response.status()} ${await response.text()}`);
+  }
+
+  return await response.json() as AuthSession;
+}
+
+export async function loginTestUser(
+  request: APIRequestContext,
+  baseUrl: string,
+  username: string,
+  password: string
+): Promise<AuthSession> {
+  const response = await request.post(`${baseUrl}/api/users/login`, {
+    data: { username, password }
+  });
+
+  if (!response.ok()) {
+    throw new Error(`Failed to login test user ${username}: ${response.status()} ${await response.text()}`);
+  }
+
+  return await response.json() as AuthSession;
+}
+
+export async function readAuthTokenFromPage(page: Page, serverUrl: string): Promise<string | null> {
+  return await page.evaluate(({ storageKey, url }) => {
+    try {
+      const store = JSON.parse(localStorage.getItem(storageKey) || '{}') as Record<string, { token: string; expiresAt: number }>;
+      const normalizedUrl = url.trim().replace(/\/+$/, '');
+      const entry = store[normalizedUrl];
+
+      if (!entry || entry.expiresAt <= Date.now()) {
+        return null;
+      }
+
+      return entry.token;
+    } catch {
+      return null;
+    }
+  }, { storageKey: AUTH_TOKENS_STORAGE_KEY, url: serverUrl });
+}
--- a/e2e/helpers/start-test-server.js
+++ b/e2e/helpers/start-test-server.js
@@ -7,16 +7,19 @@
 *
 * Cleanup: the temp directory is removed when the process exits.
 */
-const { mkdtempSync, writeFileSync, mkdirSync, rmSync } = require('fs');
+const { existsSync, mkdtempSync, writeFileSync, mkdirSync, rmSync } = require('fs');
 const { join } = require('path');
 const { tmpdir } = require('os');
 const { spawn } = require('child_process');

 const TEST_PORT = process.env.TEST_SERVER_PORT || '3099';
 const SERVER_DIR = join(__dirname, '..', '..', 'server');
-const SERVER_ENTRY = join(SERVER_DIR, 'src', 'index.ts');
+const SERVER_DIST_ENTRY = join(SERVER_DIR, 'dist', 'index.js');
+const SERVER_SRC_ENTRY = join(SERVER_DIR, 'src', 'index.ts');
 const SERVER_TSCONFIG = join(SERVER_DIR, 'tsconfig.json');
 const TS_NODE_BIN = join(SERVER_DIR, 'node_modules', 'ts-node', 'dist', 'bin.js');
+const SERVER_ENTRY = existsSync(SERVER_DIST_ENTRY) ? SERVER_DIST_ENTRY : SERVER_SRC_ENTRY;
+const USE_COMPILED_SERVER = SERVER_ENTRY === SERVER_DIST_ENTRY;

 // ── Create isolated temp data directory ──────────────────────────────
 const tmpDir = mkdtempSync(join(tmpdir(), 'metoyou-e2e-'));
@@ -45,7 +48,7 @@ console.log(`[E2E Server] Starting on port ${TEST_PORT}...`);
 // and node_modules are found from the real server/ directory.
 const child = spawn(
  process.execPath,
-  [TS_NODE_BIN, '--project', SERVER_TSCONFIG, SERVER_ENTRY],
+  USE_COMPILED_SERVER ? [SERVER_ENTRY] : [TS_NODE_BIN, '--project', SERVER_TSCONFIG, SERVER_ENTRY],
  {
    cwd: tmpDir,
    env: {