Merge pull request #223 from cartsnitch/dev

chore: promote dev to UAT (Grype ignores + cache-bust)

.grype.yaml

@@ -0,0 +1,4 @@
+ignore:
+  # Python 3.12 CVEs — only fixed in 3.13+, cannot upgrade major version safely
+  - vulnerability: CVE-2025-13836
+  - vulnerability: CVE-2026-4519

e2e/fixtures.ts

@@ -1,4 +1,4 @@
-import { test as base, expect } from "@playwright/test";
+import { test as base, expect, type Page } from "@playwright/test";
 import AxeBuilder from "@axe-core/playwright";
 
 export const test = base.extend<{ axeCheck: void }>({
@@ -10,3 +10,91 @@ export const test = base.extend<{ axeCheck: void }>({
 });
 
 export { expect } from "@playwright/test";
+
+const MOCK_USER_ID = "mock_user_123";
+const MOCK_SESSION_ID = "mock_session_456";
+
+async function mockAuthRoutes(page: Page, authenticated = false) {
+  await page.route(/.*\/auth\/sign-up\/email.*/, async (route) => {
+    await route.fulfill({
+      status: 200,
+      contentType: "application/json",
+      body: JSON.stringify({
+        token: null,
+        user: {
+          id: MOCK_USER_ID,
+          email: "mock@cartsnitch.test",
+          name: "Mock User",
+          emailVerified: true,
+          createdAt: new Date().toISOString(),
+          updatedAt: new Date().toISOString(),
+        },
+      }),
+    });
+  });
+
+  await page.route(/.*\/auth\/sign-in\/email.*/, async (route) => {
+    await route.fulfill({
+      status: 200,
+      contentType: "application/json",
+      body: JSON.stringify({
+        redirect: false,
+        token: "mock_token_123",
+        user: {
+          id: MOCK_USER_ID,
+          email: "mock@cartsnitch.test",
+          name: "Mock User",
+          emailVerified: true,
+          createdAt: new Date().toISOString(),
+          updatedAt: new Date().toISOString(),
+        },
+      }),
+    });
+  });
+
+  await page.route(/.*\/auth\/get-session.*/, async (route) => {
+    if (authenticated) {
+      await route.fulfill({
+        status: 200,
+        contentType: "application/json",
+        body: JSON.stringify({
+          session: {
+            id: MOCK_SESSION_ID,
+            expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+            ipAddress: null,
+            userAgent: null,
+          },
+          user: {
+            id: MOCK_USER_ID,
+            email: "mock@cartsnitch.test",
+            name: "Mock User",
+            emailVerified: true,
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+          },
+        }),
+      });
+    } else {
+      await route.fulfill({
+        status: 401,
+        contentType: "application/json",
+        body: JSON.stringify({ error: "Unauthorized" }),
+      });
+    }
+  });
+}
+
+export async function mockSessionDelayed(page: Page, delayMs = 3000) {
+  await page.route(/.*\/auth\/get-session.*/, async (route) => {
+    await new Promise((r) => setTimeout(r, delayMs));
+    await route.fulfill({
+      status: 401,
+      contentType: "application/json",
+      body: JSON.stringify({ error: "Unauthorized" }),
+    });
+  });
+}
+
+export { mockAuthRoutes };

e2e/journeys/j1-registration-login.spec.ts

@@ -1,17 +1,18 @@
 import { test, expect } from '@playwright/test';
+import { mockAuthRoutes } from '../fixtures';
 
 const uniqueEmail = () => `betty+e2e-${Date.now()}@cartsnitch.test`;
 
 test.describe('J1: Registration and Login', () => {
-  test('can register a new account and lands on dashboard', async ({ page }) => {
+  test('can register a new account and see check your email screen', async ({ page }) => {
+    await mockAuthRoutes(page, false);
     await page.goto('/register');
     await page.fill('[placeholder="Full Name"]', 'Betty Tester');
     await page.fill('[placeholder="Email"]', uniqueEmail());
     await page.fill('[placeholder="Password (min. 8 characters)"]', 'TestPass123!');
     await page.click('button[type="submit"]');
 
-    await expect(page).toHaveURL('http://localhost:5173/');
+    await expect(page.getByRole('heading', { name: /check your email/i })).toBeVisible();
-    await expect(page.getByRole('heading', { name: /cart/i })).toBeVisible();
   });
 
   test('shows validation error when registration fields are empty', async ({ page }) => {
@@ -30,22 +31,9 @@ test.describe('J1: Registration and Login', () => {
   });
 
   test('can sign in with credentials and land on dashboard', async ({ page }) => {
-    // Register first so we have a real account
+    await mockAuthRoutes(page, true);
-    const email = uniqueEmail();
-    await page.goto('/register');
-    await page.fill('[placeholder="Full Name"]', 'Login Betty');
-    await page.fill('[placeholder="Email"]', email);
-    await page.fill('[placeholder="Password (min. 8 characters)"]', 'TestPass123!');
-    await page.click('button[type="submit"]');
-    await expect(page).toHaveURL('http://localhost:5173/');
-
-    // Sign out by clearing the mock session (reload with no session)
-    await page.goto('/');
-    await page.reload();
-
-    // Now sign in
     await page.goto('/login');
-    await page.fill('[placeholder="Email"]', email);
+    await page.fill('[placeholder="Email"]', 'test@cartsnitch.test');
     await page.fill('[placeholder="Password"]', 'TestPass123!');
     await page.click('button[type="submit"]');
 

e2e/journeys/j8-unauth-access.spec.ts

@@ -1,9 +1,9 @@
 import { test, expect } from '@playwright/test';
+import { mockAuthRoutes, mockSessionDelayed } from '../fixtures';
 
 test.describe('J8: Unauthenticated Access', () => {
   test('redirects /dashboard (/) to /login when not authenticated', async ({ page }) => {
-    // No session cookie — start fresh
+    await mockAuthRoutes(page, false);
-    await page.context().clearCookies();
     await page.goto('/');
 
     await expect(page).toHaveURL(/\/login/);
@@ -11,7 +11,7 @@ test.describe('J8: Unauthenticated Access', () => {
   });
 
   test('redirects /purchases to /login when not authenticated', async ({ page }) => {
-    await page.context().clearCookies();
+    await mockAuthRoutes(page, false);
     await page.goto('/purchases');
 
     await expect(page).toHaveURL(/\/login/);
@@ -19,7 +19,7 @@ test.describe('J8: Unauthenticated Access', () => {
   });
 
   test('redirects /products to /login when not authenticated', async ({ page }) => {
-    await page.context().clearCookies();
+    await mockAuthRoutes(page, false);
     await page.goto('/products');
 
     await expect(page).toHaveURL(/\/login/);
@@ -27,7 +27,7 @@ test.describe('J8: Unauthenticated Access', () => {
   });
 
   test('redirects /coupons to /login when not authenticated', async ({ page }) => {
-    await page.context().clearCookies();
+    await mockAuthRoutes(page, false);
     await page.goto('/coupons');
 
     await expect(page).toHaveURL(/\/login/);
@@ -35,15 +35,9 @@ test.describe('J8: Unauthenticated Access', () => {
   });
 
   test('shows loading spinner while auth session is pending', async ({ page }) => {
-    // Intercept but don't respond — session stays pending
+    await mockSessionDelayed(page, 3000);
-    await page.context().clearCookies();
-    await page.request.fetch('/api/auth/session', {
-      method: 'GET',
-    });
-
-    // Just navigate to a protected route — ProtectedRoute will show spinner while session is pending
     await page.goto('/purchases');
-    // Spinner is visible briefly; once resolved, should redirect to login
+    await expect(page.locator('.animate-spin')).toBeVisible({ timeout: 2000 });
     await expect(page).toHaveURL(/\/login/, { timeout: 10_000 });
   });
 });

e2e/smoke.spec.ts

@@ -1,8 +1,8 @@
-import { test, expect } from './fixtures';
+import { test, expect, mockAuthRoutes } from './fixtures';
 
 test('app loads', async ({ page }) => {
+  await mockAuthRoutes(page, false);
   await page.goto('/');
-  // Unauthenticated users are redirected to /login
   await expect(page).toHaveURL(/\/login/);
   await expect(page.getByRole('heading', { name: /CartSnitch/i })).toBeVisible();
 });

src/pages/Dashboard.tsx

@@ -79,21 +79,21 @@ function AuthenticatedDashboard({ userName }: { userName: string }) {
         <div className="rounded-xl bg-white p-4 shadow-sm">
           <p className="text-xs font-medium text-gray-500">Watching</p>
           <p className="mt-1 text-2xl font-bold text-gray-900">{watchingAlerts.length}</p>
-          <p className="text-xs text-gray-400">price alerts</p>
+          <p className="text-xs text-gray-600">price alerts</p>
         </div>
         <div className="rounded-xl bg-white p-4 shadow-sm">
           <p className="text-xs font-medium text-gray-500">This Month</p>
           <p className="mt-1 text-2xl font-bold text-gray-900">
             ${recentPurchases.reduce((sum, p) => sum + p.total, 0).toFixed(0)}
           </p>
-          <p className="text-xs text-gray-400">grocery spend</p>
+          <p className="text-xs text-gray-600">grocery spend</p>
         </div>
       </div>
 
       {/* Price trend sparklines */}
       <section className="mt-6">
         <h2 className="mb-3 text-lg font-semibold text-gray-700">Price Trends</h2>
-        <div className="rounded-xl bg-white p-4 shadow-sm text-center text-sm text-gray-400">
+        <div className="rounded-xl bg-white p-4 shadow-sm text-center text-sm text-gray-600">
           Connect a store to see price trends
         </div>
       </section>