fix e2e: update auth route mocks and config for Better Auth

fix(e2e): add mock for /auth/session endpoint
The J8 test calls /api/auth/session which maps to /auth/session in Better Auth. Adding mock to ensure consistent behavior. Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-15 21:18:45 +00:00 · 2026-04-15 11:13:21 +00:00 · 2026-04-15 11:06:19 +00:00 · 2026-04-15 11:00:56 +00:00 · 2026-04-15 10:44:57 +00:00 · 2026-04-15 10:32:24 +00:00
10 changed files with 205 additions and 40 deletions
@@ -4,17 +4,23 @@ import pg from "pg";

 const { Pool } = pg;

-const pool = new Pool({
-  connectionString:
-    process.env.DATABASE_URL ??
-    "postgresql://cartsnitch:cartsnitch@localhost:5432/cartsnitch",
-});
-
 const secret = process.env.BETTER_AUTH_SECRET;
 if (!secret) {
  throw new Error("BETTER_AUTH_SECRET environment variable is required");
 }

+const databaseUrl = process.env.DATABASE_URL;
+if (!databaseUrl) {
+  console.warn(
+    "WARNING: DATABASE_URL is not set — using default localhost connection. " +
+    "Set DATABASE_URL for production deployments."
+  );
+}
+
+const pool = new Pool({
+  connectionString: databaseUrl ?? "postgresql://cartsnitch:cartsnitch@localhost:5432/cartsnitch",
+});
+
 export const auth = betterAuth({
  database: pool,
  basePath: "/auth",
@@ -1,4 +1,4 @@
-import { test as base, expect } from "@playwright/test";
+import { test as base, expect, type Page } from "@playwright/test";
 import AxeBuilder from "@axe-core/playwright";

 export const test = base.extend<{ axeCheck: void }>({
@@ -10,3 +10,90 @@ export const test = base.extend<{ axeCheck: void }>({
 });

 export { expect } from "@playwright/test";
+
+const MOCK_USER_ID = "mock_user_123";
+const MOCK_SESSION_ID = "mock_session_456";
+
+function mockAuthRoutes(page: Page, authenticated = false) {
+  page.route(/.*\/auth\/sign-up\/email.*/, async (route) => {
+    await route.fulfill({
+      status: 200,
+      contentType: "application/json",
+      body: JSON.stringify({
+        token: null,
+        user: {
+          id: MOCK_USER_ID,
+          email: "mock@cartsnitch.test",
+          name: "Mock User",
+          emailVerified: true,
+          createdAt: new Date().toISOString(),
+          updatedAt: new Date().toISOString(),
+        },
+      }),
+    });
+  });
+
+  page.route(/.*\/auth\/sign-in\/email.*/, async (route) => {
+    await route.fulfill({
+      status: 200,
+      contentType: "application/json",
+      body: JSON.stringify({
+        redirect: false,
+        token: "mock_token_123",
+        user: {
+          id: MOCK_USER_ID,
+          email: "mock@cartsnitch.test",
+          name: "Mock User",
+          emailVerified: true,
+          createdAt: new Date().toISOString(),
+          updatedAt: new Date().toISOString(),
+        },
+      }),
+    });
+  });
+
+  page.route(/.*\/auth\/get-session.*/, async (route) => {
+    if (authenticated) {
+      await route.fulfill({
+        status: 200,
+        contentType: "application/json",
+        body: JSON.stringify({
+          session: {
+            id: MOCK_SESSION_ID,
+            expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+            ipAddress: null,
+            userAgent: null,
+          },
+          user: {
+            id: MOCK_USER_ID,
+            email: "mock@cartsnitch.test",
+            name: "Mock User",
+            emailVerified: true,
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+          },
+        }),
+      });
+    } else {
+      await route.fulfill({
+        status: 401,
+        contentType: "application/json",
+        body: JSON.stringify({ error: "Unauthorized" }),
+      });
+    }
+  });
+}
+
+export function mockSessionPending(page: Page) {
+  page.route(/.*\/auth\/session.*/, async (route) => {
+    await route.fulfill({
+      status: 401,
+      contentType: "application/json",
+      body: JSON.stringify({ error: "Unauthorized" }),
+    });
+  });
+}
+
+export { mockAuthRoutes };
@@ -1,18 +1,18 @@
 import { test, expect } from '@playwright/test';
+import { mockAuthRoutes } from '../fixtures';

 const uniqueEmail = () => `betty+e2e-${Date.now()}@cartsnitch.test`;

 test.describe('J1: Registration and Login', () => {
-  test('can register a new account and lands on dashboard', async ({ page }) => {
+  test('can register a new account and see check your email screen', async ({ page }) => {
+    mockAuthRoutes(page, true);
    await page.goto('/register');
    await page.fill('[placeholder="Full Name"]', 'Betty Tester');
    await page.fill('[placeholder="Email"]', uniqueEmail());
    await page.fill('[placeholder="Password (min. 8 characters)"]', 'TestPass123!');
    await page.click('button[type="submit"]');

-    // With VITE_MOCK_AUTH=true the app navigates to "/" on success
-    await expect(page).toHaveURL('http://localhost:5173/');
-    await expect(page.getByRole('heading', { name: /cart/i })).toBeVisible();
+    await expect(page.getByRole('heading', { name: /check your email/i })).toBeVisible();
  });

  test('shows validation error when registration fields are empty', async ({ page }) => {
@@ -31,22 +31,9 @@ test.describe('J1: Registration and Login', () => {
  });

  test('can sign in with credentials and land on dashboard', async ({ page }) => {
-    // Register first so we have a real account
-    const email = uniqueEmail();
-    await page.goto('/register');
-    await page.fill('[placeholder="Full Name"]', 'Login Betty');
-    await page.fill('[placeholder="Email"]', email);
-    await page.fill('[placeholder="Password (min. 8 characters)"]', 'TestPass123!');
-    await page.click('button[type="submit"]');
-    await expect(page).toHaveURL('http://localhost:5173/');
-
-    // Sign out by clearing the mock session (reload with no session)
-    await page.goto('/');
-    await page.reload();
-
-    // Now sign in
+    mockAuthRoutes(page, true);
    await page.goto('/login');
-    await page.fill('[placeholder="Email"]', email);
+    await page.fill('[placeholder="Email"]', 'test@cartsnitch.test');
    await page.fill('[placeholder="Password"]', 'TestPass123!');
    await page.click('button[type="submit"]');

@@ -1,8 +1,9 @@
 import { test, expect } from '@playwright/test';
+import { mockAuthRoutes } from '../fixtures';

 test.describe('J8: Unauthenticated Access', () => {
  test('redirects /dashboard (/) to /login when not authenticated', async ({ page }) => {
-    // No session cookie — start fresh
+    mockAuthRoutes(page, false);
    await page.context().clearCookies();
    await page.goto('/');

@@ -11,6 +12,7 @@ test.describe('J8: Unauthenticated Access', () => {
  });

  test('redirects /purchases to /login when not authenticated', async ({ page }) => {
+    mockAuthRoutes(page, false);
    await page.context().clearCookies();
    await page.goto('/purchases');

@@ -19,6 +21,7 @@ test.describe('J8: Unauthenticated Access', () => {
  });

  test('redirects /products to /login when not authenticated', async ({ page }) => {
+    mockAuthRoutes(page, false);
    await page.context().clearCookies();
    await page.goto('/products');

@@ -27,6 +30,7 @@ test.describe('J8: Unauthenticated Access', () => {
  });

  test('redirects /coupons to /login when not authenticated', async ({ page }) => {
+    mockAuthRoutes(page, false);
    await page.context().clearCookies();
    await page.goto('/coupons');

@@ -35,15 +39,9 @@ test.describe('J8: Unauthenticated Access', () => {
  });

  test('shows loading spinner while auth session is pending', async ({ page }) => {
-    // Intercept but don't respond — session stays pending
+    mockAuthRoutes(page, false);
    await page.context().clearCookies();
-    await page.request.fetch('/api/auth/session', {
-      method: 'GET',
-    });
-
-    // Just navigate to a protected route — ProtectedRoute will show spinner while session is pending
    await page.goto('/purchases');
-    // Spinner is visible briefly; once resolved, should redirect to login
    await expect(page).toHaveURL(/\/login/, { timeout: 10_000 });
  });
 });
@@ -1,6 +1,7 @@
-import { test, expect } from './fixtures';
+import { test, expect, mockAuthRoutes } from './fixtures';

 test('app loads', async ({ page }) => {
+  mockAuthRoutes(page, false);
  await page.goto('/');
  // Unauthenticated users are redirected to /login
  await expect(page).toHaveURL(/\/login/);
@@ -9805,9 +9805,9 @@
      }
    },
    "node_modules/vite": {
-      "version": "6.4.1",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.1.tgz",
-      "integrity": "sha512-+Oxm7q9hDoLMyJOYfUYBuHQo+dkAloi33apOPP56pzj+vsdJDzr+j1NISE5pyaAuKL4A3UD34qd0lx5+kfKp2g==",
+      "version": "6.4.2",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.2.tgz",
+      "integrity": "sha512-2N/55r4JDJ4gdrCvGgINMy+HH3iRpNIz8K6SFwVsA+JbQScLiC+clmAxBgwiSPgcG9U15QmvqCGWzMbqda5zGQ==",
      "devOptional": true,
      "license": "MIT",
      "dependencies": {
@@ -9,9 +9,12 @@ export default defineConfig({
    },
  ],
  webServer: {
-    command: 'VITE_MOCK_AUTH=true npm run dev',
+    command: 'npm run dev',
    url: 'http://localhost:5173',
    reuseExistingServer: !process.env.CI,
+    env: {
+      VITE_MOCK_AUTH: 'true',
+    },
  },
  use: {
    baseURL: 'http://localhost:5173',
@@ -1,8 +1,12 @@
 """Service-specific configuration for ReceiptWitness."""

+from pydantic import model_validator
 from pydantic_settings import BaseSettings


+_PLACEHOLDER_VALUES = {"change-me-in-production"}
+
+
 class ReceiptWitnessSettings(BaseSettings):
    model_config = {"env_prefix": "RW_"}

@@ -30,5 +34,34 @@ class ReceiptWitnessSettings(BaseSettings):
    # Mailgun inbound email webhook
    mailgun_webhook_signing_key: str = ""

+    @model_validator(mode="after")
+    def validate_required_vars(self):
+        errors = []
+        if not self.session_encryption_key or self.session_encryption_key in _PLACEHOLDER_VALUES:
+            errors.append(
+                "RW_SESSION_ENCRYPTION_KEY must be set to a secure value. "
+                'Generate one with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"'
+            )
+        if self.notifications_enabled and not self.resend_api_key:
+            errors.append(
+                "RW_RESEND_API_KEY must be set when RW_NOTIFICATIONS_ENABLED=true. "
+                "Get an API key from https://resend.com/api-keys"
+            )
+        if errors:
+            raise ValueError(
+                "ReceiptWitness startup failed — missing required config:\n"
+                + "\n".join(f"  - {e}" for e in errors)
+            )
+        return self

-settings = ReceiptWitnessSettings()
+
+class _LazySettings:
+    _instance: ReceiptWitnessSettings | None = None
+
+    def __getattr__(self, name: str):
+        if _LazySettings._instance is None:
+            _LazySettings._instance = ReceiptWitnessSettings()
+        return getattr(_LazySettings._instance, name)
+
+
+settings = _LazySettings()
@@ -1,12 +1,16 @@
 """Shared test fixtures."""

 import json
+import os
 from pathlib import Path

 import pytest

 FIXTURES_DIR = Path(__file__).parent / "fixtures"

+os.environ.setdefault("RW_SESSION_ENCRYPTION_KEY", "test-secret-key-for-unit-tests-only-32bytes!")
+os.environ.setdefault("RW_MAILGUN_WEBHOOK_SIGNING_KEY", "test-mailgun-signing-key")
+

@pytest.fixture
 def meijer_receipt_data() -> dict:
@@ -0,0 +1,46 @@
+import pytest
+from receiptwitness.config import ReceiptWitnessSettings
+
+
+def test_valid_config():
+    s = ReceiptWitnessSettings(
+        session_encryption_key="7reF42nmTwbdN21PBoubGp7h_FU8qSimstmlaMLoRK8="
+    )
+    assert s.session_encryption_key
+
+
+def test_missing_session_encryption_key_raises():
+    with pytest.raises(ValueError, match="RW_SESSION_ENCRYPTION_KEY"):
+        ReceiptWitnessSettings(session_encryption_key="")
+
+
+def test_placeholder_session_encryption_key_raises():
+    with pytest.raises(ValueError, match="RW_SESSION_ENCRYPTION_KEY"):
+        ReceiptWitnessSettings(session_encryption_key="change-me-in-production")
+
+
+def test_notifications_enabled_without_resend_key_raises():
+    with pytest.raises(ValueError, match="RW_RESEND_API_KEY"):
+        ReceiptWitnessSettings(
+            session_encryption_key="7reF42nmTwbdN21PBoubGp7h_FU8qSimstmlaMLoRK8=",
+            notifications_enabled=True,
+            resend_api_key="",
+        )
+
+
+def test_notifications_disabled_without_resend_key_ok():
+    s = ReceiptWitnessSettings(
+        session_encryption_key="7reF42nmTwbdN21PBoubGp7h_FU8qSimstmlaMLoRK8=",
+        notifications_enabled=False,
+        resend_api_key="",
+    )
+    assert s.notifications_enabled is False
+
+
+def test_notifications_enabled_with_resend_key_ok():
+    s = ReceiptWitnessSettings(
+        session_encryption_key="7reF42nmTwbdN21PBoubGp7h_FU8qSimstmlaMLoRK8=",
+        notifications_enabled=True,
+        resend_api_key="re_test_1234567890",
+    )
+    assert s.resend_api_key == "re_test_1234567890"
Author	SHA1	Message	Date
Barcode Betty	a55c64a9c8	fix e2e: update auth route mocks and config for Better Auth	2026-04-15 21:18:45 +00:00
Barcode Betty	3a67b26e1f	fix(e2e): add mock for /auth/session endpoint The J8 test calls /api/auth/session which maps to /auth/session in Better Auth. Adding mock to ensure consistent behavior. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 11:13:21 +00:00
Barcode Betty	271406de9e	fix(e2e): correct Better Auth mock response formats - sign-up returns { token, user } - sign-in returns { redirect, token, user } - get-session returns { session, user } Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 11:06:19 +00:00
Barcode Betty	d0b855b45d	fix(e2e): use more permissive regex patterns for route mocking Use wildcard patterns to match URLs with query parameters or trailing slashes. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 11:00:56 +00:00
Barcode Betty	14e17c5fc6	fix(e2e): correct Better Auth mock route patterns - Changed sign-up route from /auth/register to /auth/sign-up/email - Changed session route from /auth/session to /auth/get-session Better Auth hits /auth/sign-up/email for registration and /auth/get-session for session checks. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 10:44:57 +00:00
Barcode Betty	70b0801228	fix(e2e): replace VITE_MOCK_AUTH with Playwright route mocking - Removed VITE_MOCK_AUTH=true from playwright.config.ts webServer command - Added mockAuthRoutes helper to e2e/fixtures.ts to mock /auth/* endpoints - Updated j1-registration-login.spec.ts to use route mocking instead of env var-based mock auth Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 10:32:24 +00:00
Barcode Betty	a53daddb9a	fix: update vite to resolve high-severity audit vulnerability	2026-04-14 16:09:48 +00:00
Paperclip	3351d74058	fix: add startup validation to auth service config - Add DATABASE_URL validation after BETTER_AUTH_SECRET check - Warn clearly when DATABASE_URL is not set (uses localhost default) - Move pool declaration after validation blocks Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 16:03:37 +00:00
cartsnitch-cto[bot]	adfa34f2c2	Merge pull request #186 from cartsnitch/fix/receiptwitness-config-validation fix: add startup validation to ReceiptWitness config	2026-04-14 14:07:48 +00:00
Paperclip	ade03fdd1c	fix: add startup validation to ReceiptWitness config Add Pydantic model_validator to ReceiptWitnessSettings that fails fast if session_encryption_key is missing or a placeholder value. Conditional validation for resend_api_key when notifications_enabled=true. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-14 13:52:24 +00:00