Files
route-commerce/tests/login/login-flow.spec.ts
T
tyler 7cd0603cfb feat: remove dev_session, add Drizzle schema + RLS + real auth
BREAKING: dev_session cookie bypass removed. Admin access now requires
a real Auth.js v5 session (Google OAuth in production). Provision users
by inserting into users + tenant_users tables.

New in this commit:
- db/migrations/0001_init.sql: 18-table SaaS schema with RLS (tenants,
  users, tenant_users, plans, add_ons, subscriptions, tenant_add_ons,
  products, product_images, stops, customers, orders, order_items,
  brand_settings, email_templates, campaigns, files, audit_log)
- db/schema/: Drizzle TypeScript mirror of every table
- db/client.ts: withTenant() / withPlatformAdmin() query wrappers that
  set Postgres GUCs (app.current_tenant_id, app.platform_admin) for
  RLS enforcement. Never query a tenant-scoped table without one.
- db/seed.ts: seeds 3 plans, 6 add-ons, 2 tenants (Tuxedo, Indian River
  Direct), brand_settings, sample products/stops/customers
- scripts/migrate.js: applies migrations in lexical order with tracking
- scripts/db-reset.js: drops + recreates DB, runs migrate + seed
- DATABASE_URL now uses rc_app (non-superuser, NOBYPASSRLS). RLS is
  enforced even for the app user. DATABASE_ADMIN_URL for migrations.
- src/lib/admin-permissions.ts: getAdminUser() reads Auth.js session,
  looks up user + tenant in Postgres. brand_id kept as alias for
  backward compat.
- src/middleware.ts: Auth.js-only route protection, dev_session gone
- src/app/login/LoginClient.tsx: Google OAuth only, no demo mode
- src/components/admin/AdminSidebar.tsx + AdminHeader.tsx: signOutAction
  replaces supabase signout
- @/db/* path aliases in tsconfig.json + vitest.config.ts
- drizzle.config.ts added
- db/auth_schema.sql removed (was a stub; replaced by real schema)
- src/app/api/dev-login/route.ts deleted
- tests: updated to remove dev_session coverage
2026-06-07 01:23:44 +00:00

37 lines
1.8 KiB
TypeScript

import { test, expect } from "@playwright/test";
const BASE = process.env.PLAYWRIGHT_URL ?? "http://localhost:3000";
// ─────────────────────────────────────────────────────────────────────
// Login page — Google OAuth is the only login path
// ─────────────────────────────────────────────────────────────────────
test.describe("Login page", () => {
test("renders the Google sign-in button", async ({ page }) => {
await page.goto(`${BASE}/login`);
await expect(page.getByRole("button", { name: /continue with google/i })).toBeVisible();
});
test("shows a friendly 'not configured' message when Google OAuth env is missing", async ({ page }) => {
// The page either shows the Google button (when AUTH_GOOGLE_ID/SECRET
// are set) or a setup message (when they aren't). We accept both as
// correct renderings.
await page.goto(`${BASE}/login`);
const hasGoogle = await page
.getByRole("button", { name: /continue with google/i })
.isVisible()
.catch(() => false);
const hasSetup = await page
.getByText(/Google sign-in is not configured/i)
.isVisible()
.catch(() => false);
expect(hasGoogle || hasSetup).toBe(true);
});
test("/admin redirects to /login when not authenticated", async ({ page }) => {
const res = await page.goto(`${BASE}/admin`, { waitUntil: "domcontentloaded" });
// After redirect, the URL should be /login (with ?redirect=/admin).
expect(page.url()).toMatch(/\/login(\?|$)/);
expect(res?.status()).toBeLessThan(500);
});
});