forked from cartsnitch/cartsnitch
Merge pull request #223 from cartsnitch/dev
chore: promote dev to UAT (Grype ignores + cache-bust)
This commit is contained in:
@@ -166,6 +166,8 @@ jobs:
|
|||||||
- name: Scan frontend image for vulnerabilities
|
- name: Scan frontend image for vulnerabilities
|
||||||
uses: anchore/scan-action@v5
|
uses: anchore/scan-action@v5
|
||||||
id: scan
|
id: scan
|
||||||
|
env:
|
||||||
|
GRYPE_CONFIG: .grype.yaml
|
||||||
with:
|
with:
|
||||||
image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
|
image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
|
||||||
fail-build: true
|
fail-build: true
|
||||||
@@ -263,6 +265,8 @@ jobs:
|
|||||||
- name: Scan auth image for vulnerabilities
|
- name: Scan auth image for vulnerabilities
|
||||||
uses: anchore/scan-action@v5
|
uses: anchore/scan-action@v5
|
||||||
id: scan
|
id: scan
|
||||||
|
env:
|
||||||
|
GRYPE_CONFIG: .grype.yaml
|
||||||
with:
|
with:
|
||||||
image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}"
|
image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}"
|
||||||
fail-build: true
|
fail-build: true
|
||||||
@@ -343,12 +347,16 @@ jobs:
|
|||||||
load: true
|
load: true
|
||||||
tags: ${{ steps.meta.outputs.tags }}
|
tags: ${{ steps.meta.outputs.tags }}
|
||||||
labels: ${{ steps.meta.outputs.labels }}
|
labels: ${{ steps.meta.outputs.labels }}
|
||||||
|
build-args: |
|
||||||
|
APT_CACHE_BUST=${{ github.run_id }}
|
||||||
cache-from: type=gha
|
cache-from: type=gha
|
||||||
cache-to: type=gha,mode=max
|
cache-to: type=gha,mode=max
|
||||||
|
|
||||||
- name: Scan receiptwitness image for vulnerabilities
|
- name: Scan receiptwitness image for vulnerabilities
|
||||||
uses: anchore/scan-action@v5
|
uses: anchore/scan-action@v5
|
||||||
id: scan
|
id: scan
|
||||||
|
env:
|
||||||
|
GRYPE_CONFIG: .grype.yaml
|
||||||
with:
|
with:
|
||||||
image: "${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }}"
|
image: "${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }}"
|
||||||
fail-build: true
|
fail-build: true
|
||||||
@@ -371,6 +379,8 @@ jobs:
|
|||||||
push: true
|
push: true
|
||||||
tags: ${{ steps.meta.outputs.tags }}
|
tags: ${{ steps.meta.outputs.tags }}
|
||||||
labels: ${{ steps.meta.outputs.labels }}
|
labels: ${{ steps.meta.outputs.labels }}
|
||||||
|
build-args: |
|
||||||
|
APT_CACHE_BUST=${{ github.run_id }}
|
||||||
cache-from: type=gha
|
cache-from: type=gha
|
||||||
|
|
||||||
build-and-push-api:
|
build-and-push-api:
|
||||||
@@ -429,12 +439,16 @@ jobs:
|
|||||||
load: true
|
load: true
|
||||||
tags: ${{ steps.meta.outputs.tags }}
|
tags: ${{ steps.meta.outputs.tags }}
|
||||||
labels: ${{ steps.meta.outputs.labels }}
|
labels: ${{ steps.meta.outputs.labels }}
|
||||||
|
build-args: |
|
||||||
|
APT_CACHE_BUST=${{ github.run_id }}
|
||||||
cache-from: type=gha
|
cache-from: type=gha
|
||||||
cache-to: type=gha,mode=max
|
cache-to: type=gha,mode=max
|
||||||
|
|
||||||
- name: Scan api image for vulnerabilities
|
- name: Scan api image for vulnerabilities
|
||||||
uses: anchore/scan-action@v5
|
uses: anchore/scan-action@v5
|
||||||
id: scan
|
id: scan
|
||||||
|
env:
|
||||||
|
GRYPE_CONFIG: .grype.yaml
|
||||||
with:
|
with:
|
||||||
image: "${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }}"
|
image: "${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }}"
|
||||||
fail-build: true
|
fail-build: true
|
||||||
@@ -457,6 +471,8 @@ jobs:
|
|||||||
push: true
|
push: true
|
||||||
tags: ${{ steps.meta.outputs.tags }}
|
tags: ${{ steps.meta.outputs.tags }}
|
||||||
labels: ${{ steps.meta.outputs.labels }}
|
labels: ${{ steps.meta.outputs.labels }}
|
||||||
|
build-args: |
|
||||||
|
APT_CACHE_BUST=${{ github.run_id }}
|
||||||
cache-from: type=gha
|
cache-from: type=gha
|
||||||
|
|
||||||
deploy-dev:
|
deploy-dev:
|
||||||
|
|||||||
@@ -0,0 +1,4 @@
|
|||||||
|
ignore:
|
||||||
|
# Python 3.12 CVEs — only fixed in 3.13+, cannot upgrade major version safely
|
||||||
|
- vulnerability: CVE-2025-13836
|
||||||
|
- vulnerability: CVE-2026-4519
|
||||||
@@ -1,5 +1,6 @@
|
|||||||
FROM python:3.12-slim AS build
|
FROM python:3.12-slim AS build
|
||||||
|
|
||||||
|
ARG APT_CACHE_BUST=0
|
||||||
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
|
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
|
||||||
libpq-dev \
|
libpq-dev \
|
||||||
build-essential \
|
build-essential \
|
||||||
@@ -12,6 +13,7 @@ RUN pip install --no-cache-dir --prefix=/install .
|
|||||||
|
|
||||||
FROM python:3.12-slim AS prod
|
FROM python:3.12-slim AS prod
|
||||||
|
|
||||||
|
ARG APT_CACHE_BUST=0
|
||||||
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/*
|
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|||||||
+89
-1
@@ -1,4 +1,4 @@
|
|||||||
import { test as base, expect } from "@playwright/test";
|
import { test as base, expect, type Page } from "@playwright/test";
|
||||||
import AxeBuilder from "@axe-core/playwright";
|
import AxeBuilder from "@axe-core/playwright";
|
||||||
|
|
||||||
export const test = base.extend<{ axeCheck: void }>({
|
export const test = base.extend<{ axeCheck: void }>({
|
||||||
@@ -10,3 +10,91 @@ export const test = base.extend<{ axeCheck: void }>({
|
|||||||
});
|
});
|
||||||
|
|
||||||
export { expect } from "@playwright/test";
|
export { expect } from "@playwright/test";
|
||||||
|
|
||||||
|
const MOCK_USER_ID = "mock_user_123";
|
||||||
|
const MOCK_SESSION_ID = "mock_session_456";
|
||||||
|
|
||||||
|
async function mockAuthRoutes(page: Page, authenticated = false) {
|
||||||
|
await page.route(/.*\/auth\/sign-up\/email.*/, async (route) => {
|
||||||
|
await route.fulfill({
|
||||||
|
status: 200,
|
||||||
|
contentType: "application/json",
|
||||||
|
body: JSON.stringify({
|
||||||
|
token: null,
|
||||||
|
user: {
|
||||||
|
id: MOCK_USER_ID,
|
||||||
|
email: "mock@cartsnitch.test",
|
||||||
|
name: "Mock User",
|
||||||
|
emailVerified: true,
|
||||||
|
createdAt: new Date().toISOString(),
|
||||||
|
updatedAt: new Date().toISOString(),
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
await page.route(/.*\/auth\/sign-in\/email.*/, async (route) => {
|
||||||
|
await route.fulfill({
|
||||||
|
status: 200,
|
||||||
|
contentType: "application/json",
|
||||||
|
body: JSON.stringify({
|
||||||
|
redirect: false,
|
||||||
|
token: "mock_token_123",
|
||||||
|
user: {
|
||||||
|
id: MOCK_USER_ID,
|
||||||
|
email: "mock@cartsnitch.test",
|
||||||
|
name: "Mock User",
|
||||||
|
emailVerified: true,
|
||||||
|
createdAt: new Date().toISOString(),
|
||||||
|
updatedAt: new Date().toISOString(),
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
await page.route(/.*\/auth\/get-session.*/, async (route) => {
|
||||||
|
if (authenticated) {
|
||||||
|
await route.fulfill({
|
||||||
|
status: 200,
|
||||||
|
contentType: "application/json",
|
||||||
|
body: JSON.stringify({
|
||||||
|
session: {
|
||||||
|
id: MOCK_SESSION_ID,
|
||||||
|
expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString(),
|
||||||
|
createdAt: new Date().toISOString(),
|
||||||
|
updatedAt: new Date().toISOString(),
|
||||||
|
ipAddress: null,
|
||||||
|
userAgent: null,
|
||||||
|
},
|
||||||
|
user: {
|
||||||
|
id: MOCK_USER_ID,
|
||||||
|
email: "mock@cartsnitch.test",
|
||||||
|
name: "Mock User",
|
||||||
|
emailVerified: true,
|
||||||
|
createdAt: new Date().toISOString(),
|
||||||
|
updatedAt: new Date().toISOString(),
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
await route.fulfill({
|
||||||
|
status: 401,
|
||||||
|
contentType: "application/json",
|
||||||
|
body: JSON.stringify({ error: "Unauthorized" }),
|
||||||
|
});
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
export async function mockSessionDelayed(page: Page, delayMs = 3000) {
|
||||||
|
await page.route(/.*\/auth\/get-session.*/, async (route) => {
|
||||||
|
await new Promise((r) => setTimeout(r, delayMs));
|
||||||
|
await route.fulfill({
|
||||||
|
status: 401,
|
||||||
|
contentType: "application/json",
|
||||||
|
body: JSON.stringify({ error: "Unauthorized" }),
|
||||||
|
});
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
export { mockAuthRoutes };
|
||||||
|
|||||||
@@ -1,17 +1,18 @@
|
|||||||
import { test, expect } from '@playwright/test';
|
import { test, expect } from '@playwright/test';
|
||||||
|
import { mockAuthRoutes } from '../fixtures';
|
||||||
|
|
||||||
const uniqueEmail = () => `betty+e2e-${Date.now()}@cartsnitch.test`;
|
const uniqueEmail = () => `betty+e2e-${Date.now()}@cartsnitch.test`;
|
||||||
|
|
||||||
test.describe('J1: Registration and Login', () => {
|
test.describe('J1: Registration and Login', () => {
|
||||||
test('can register a new account and lands on dashboard', async ({ page }) => {
|
test('can register a new account and see check your email screen', async ({ page }) => {
|
||||||
|
await mockAuthRoutes(page, false);
|
||||||
await page.goto('/register');
|
await page.goto('/register');
|
||||||
await page.fill('[placeholder="Full Name"]', 'Betty Tester');
|
await page.fill('[placeholder="Full Name"]', 'Betty Tester');
|
||||||
await page.fill('[placeholder="Email"]', uniqueEmail());
|
await page.fill('[placeholder="Email"]', uniqueEmail());
|
||||||
await page.fill('[placeholder="Password (min. 8 characters)"]', 'TestPass123!');
|
await page.fill('[placeholder="Password (min. 8 characters)"]', 'TestPass123!');
|
||||||
await page.click('button[type="submit"]');
|
await page.click('button[type="submit"]');
|
||||||
|
|
||||||
await expect(page).toHaveURL('http://localhost:5173/');
|
await expect(page.getByRole('heading', { name: /check your email/i })).toBeVisible();
|
||||||
await expect(page.getByRole('heading', { name: /cart/i })).toBeVisible();
|
|
||||||
});
|
});
|
||||||
|
|
||||||
test('shows validation error when registration fields are empty', async ({ page }) => {
|
test('shows validation error when registration fields are empty', async ({ page }) => {
|
||||||
@@ -30,22 +31,9 @@ test.describe('J1: Registration and Login', () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
test('can sign in with credentials and land on dashboard', async ({ page }) => {
|
test('can sign in with credentials and land on dashboard', async ({ page }) => {
|
||||||
// Register first so we have a real account
|
await mockAuthRoutes(page, true);
|
||||||
const email = uniqueEmail();
|
|
||||||
await page.goto('/register');
|
|
||||||
await page.fill('[placeholder="Full Name"]', 'Login Betty');
|
|
||||||
await page.fill('[placeholder="Email"]', email);
|
|
||||||
await page.fill('[placeholder="Password (min. 8 characters)"]', 'TestPass123!');
|
|
||||||
await page.click('button[type="submit"]');
|
|
||||||
await expect(page).toHaveURL('http://localhost:5173/');
|
|
||||||
|
|
||||||
// Sign out by clearing the mock session (reload with no session)
|
|
||||||
await page.goto('/');
|
|
||||||
await page.reload();
|
|
||||||
|
|
||||||
// Now sign in
|
|
||||||
await page.goto('/login');
|
await page.goto('/login');
|
||||||
await page.fill('[placeholder="Email"]', email);
|
await page.fill('[placeholder="Email"]', 'test@cartsnitch.test');
|
||||||
await page.fill('[placeholder="Password"]', 'TestPass123!');
|
await page.fill('[placeholder="Password"]', 'TestPass123!');
|
||||||
await page.click('button[type="submit"]');
|
await page.click('button[type="submit"]');
|
||||||
|
|
||||||
|
|||||||
@@ -1,9 +1,9 @@
|
|||||||
import { test, expect } from '@playwright/test';
|
import { test, expect } from '@playwright/test';
|
||||||
|
import { mockAuthRoutes, mockSessionDelayed } from '../fixtures';
|
||||||
|
|
||||||
test.describe('J8: Unauthenticated Access', () => {
|
test.describe('J8: Unauthenticated Access', () => {
|
||||||
test('redirects /dashboard (/) to /login when not authenticated', async ({ page }) => {
|
test('redirects /dashboard (/) to /login when not authenticated', async ({ page }) => {
|
||||||
// No session cookie — start fresh
|
await mockAuthRoutes(page, false);
|
||||||
await page.context().clearCookies();
|
|
||||||
await page.goto('/');
|
await page.goto('/');
|
||||||
|
|
||||||
await expect(page).toHaveURL(/\/login/);
|
await expect(page).toHaveURL(/\/login/);
|
||||||
@@ -11,7 +11,7 @@ test.describe('J8: Unauthenticated Access', () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
test('redirects /purchases to /login when not authenticated', async ({ page }) => {
|
test('redirects /purchases to /login when not authenticated', async ({ page }) => {
|
||||||
await page.context().clearCookies();
|
await mockAuthRoutes(page, false);
|
||||||
await page.goto('/purchases');
|
await page.goto('/purchases');
|
||||||
|
|
||||||
await expect(page).toHaveURL(/\/login/);
|
await expect(page).toHaveURL(/\/login/);
|
||||||
@@ -19,7 +19,7 @@ test.describe('J8: Unauthenticated Access', () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
test('redirects /products to /login when not authenticated', async ({ page }) => {
|
test('redirects /products to /login when not authenticated', async ({ page }) => {
|
||||||
await page.context().clearCookies();
|
await mockAuthRoutes(page, false);
|
||||||
await page.goto('/products');
|
await page.goto('/products');
|
||||||
|
|
||||||
await expect(page).toHaveURL(/\/login/);
|
await expect(page).toHaveURL(/\/login/);
|
||||||
@@ -27,7 +27,7 @@ test.describe('J8: Unauthenticated Access', () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
test('redirects /coupons to /login when not authenticated', async ({ page }) => {
|
test('redirects /coupons to /login when not authenticated', async ({ page }) => {
|
||||||
await page.context().clearCookies();
|
await mockAuthRoutes(page, false);
|
||||||
await page.goto('/coupons');
|
await page.goto('/coupons');
|
||||||
|
|
||||||
await expect(page).toHaveURL(/\/login/);
|
await expect(page).toHaveURL(/\/login/);
|
||||||
@@ -35,15 +35,9 @@ test.describe('J8: Unauthenticated Access', () => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
test('shows loading spinner while auth session is pending', async ({ page }) => {
|
test('shows loading spinner while auth session is pending', async ({ page }) => {
|
||||||
// Intercept but don't respond — session stays pending
|
await mockSessionDelayed(page, 3000);
|
||||||
await page.context().clearCookies();
|
|
||||||
await page.request.fetch('/api/auth/session', {
|
|
||||||
method: 'GET',
|
|
||||||
});
|
|
||||||
|
|
||||||
// Just navigate to a protected route — ProtectedRoute will show spinner while session is pending
|
|
||||||
await page.goto('/purchases');
|
await page.goto('/purchases');
|
||||||
// Spinner is visible briefly; once resolved, should redirect to login
|
await expect(page.locator('.animate-spin')).toBeVisible({ timeout: 2000 });
|
||||||
await expect(page).toHaveURL(/\/login/, { timeout: 10_000 });
|
await expect(page).toHaveURL(/\/login/, { timeout: 10_000 });
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|||||||
+2
-2
@@ -1,8 +1,8 @@
|
|||||||
import { test, expect } from './fixtures';
|
import { test, expect, mockAuthRoutes } from './fixtures';
|
||||||
|
|
||||||
test('app loads', async ({ page }) => {
|
test('app loads', async ({ page }) => {
|
||||||
|
await mockAuthRoutes(page, false);
|
||||||
await page.goto('/');
|
await page.goto('/');
|
||||||
// Unauthenticated users are redirected to /login
|
|
||||||
await expect(page).toHaveURL(/\/login/);
|
await expect(page).toHaveURL(/\/login/);
|
||||||
await expect(page.getByRole('heading', { name: /CartSnitch/i })).toBeVisible();
|
await expect(page.getByRole('heading', { name: /CartSnitch/i })).toBeVisible();
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ WORKDIR /app
|
|||||||
|
|
||||||
# build-essential and libpq-dev are needed to compile any C-extension wheels
|
# build-essential and libpq-dev are needed to compile any C-extension wheels
|
||||||
# (e.g. psycopg2 fallback). No git needed — common/ is copied from the repo root.
|
# (e.g. psycopg2 fallback). No git needed — common/ is copied from the repo root.
|
||||||
|
ARG APT_CACHE_BUST=0
|
||||||
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
|
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
|
||||||
libpq-dev \
|
libpq-dev \
|
||||||
build-essential \
|
build-essential \
|
||||||
@@ -25,6 +26,7 @@ FROM python:3.12-slim AS prod
|
|||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
# Install Playwright system dependencies for Chromium
|
# Install Playwright system dependencies for Chromium
|
||||||
|
ARG APT_CACHE_BUST=0
|
||||||
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
|
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
|
||||||
libnss3 \
|
libnss3 \
|
||||||
libatk1.0-0 \
|
libatk1.0-0 \
|
||||||
|
|||||||
@@ -79,21 +79,21 @@ function AuthenticatedDashboard({ userName }: { userName: string }) {
|
|||||||
<div className="rounded-xl bg-white p-4 shadow-sm">
|
<div className="rounded-xl bg-white p-4 shadow-sm">
|
||||||
<p className="text-xs font-medium text-gray-500">Watching</p>
|
<p className="text-xs font-medium text-gray-500">Watching</p>
|
||||||
<p className="mt-1 text-2xl font-bold text-gray-900">{watchingAlerts.length}</p>
|
<p className="mt-1 text-2xl font-bold text-gray-900">{watchingAlerts.length}</p>
|
||||||
<p className="text-xs text-gray-400">price alerts</p>
|
<p className="text-xs text-gray-600">price alerts</p>
|
||||||
</div>
|
</div>
|
||||||
<div className="rounded-xl bg-white p-4 shadow-sm">
|
<div className="rounded-xl bg-white p-4 shadow-sm">
|
||||||
<p className="text-xs font-medium text-gray-500">This Month</p>
|
<p className="text-xs font-medium text-gray-500">This Month</p>
|
||||||
<p className="mt-1 text-2xl font-bold text-gray-900">
|
<p className="mt-1 text-2xl font-bold text-gray-900">
|
||||||
${recentPurchases.reduce((sum, p) => sum + p.total, 0).toFixed(0)}
|
${recentPurchases.reduce((sum, p) => sum + p.total, 0).toFixed(0)}
|
||||||
</p>
|
</p>
|
||||||
<p className="text-xs text-gray-400">grocery spend</p>
|
<p className="text-xs text-gray-600">grocery spend</p>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
{/* Price trend sparklines */}
|
{/* Price trend sparklines */}
|
||||||
<section className="mt-6">
|
<section className="mt-6">
|
||||||
<h2 className="mb-3 text-lg font-semibold text-gray-700">Price Trends</h2>
|
<h2 className="mb-3 text-lg font-semibold text-gray-700">Price Trends</h2>
|
||||||
<div className="rounded-xl bg-white p-4 shadow-sm text-center text-sm text-gray-400">
|
<div className="rounded-xl bg-white p-4 shadow-sm text-center text-sm text-gray-600">
|
||||||
Connect a store to see price trends
|
Connect a store to see price trends
|
||||||
</div>
|
</div>
|
||||||
</section>
|
</section>
|
||||||
|
|||||||
Reference in New Issue
Block a user