* fix: remove VITE_MOCK_AUTH bypass from production code
Removed all VITE_MOCK_AUTH environment variable checks from production source:
- Login.tsx: removed mock auth catch block fallback
- Register.tsx: removed mock auth catch block fallback; now shows 'Account created! Please sign in.' on success
- ProtectedRoute.tsx: simplified to only use Better-Auth session
- playwright.config.ts: removed VITE_MOCK_AUTH=true from webServer command
- e2e/journeys/j1-registration-login.spec.ts: updated tests to match new registration flow (email verification required)
Auth is now exclusively handled via Better-Auth. No silent bypass paths remain.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: remove VITE_MOCK_AUTH bypass and resolve merge conflicts
- Resolve merge conflict markers in j1-registration-login.spec.ts
- Add trailing newline to ProtectedRoute.tsx
- Remove VITE_MOCK_AUTH fallback in Login.tsx catch block
- Update Register.tsx to show 'Account created! Please sign in.' message
- Remove unused useAuthStore import from Login.tsx
- Remove unused registrationComplete state from Register.tsx
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(deps): bump postcss to address moderate XSS vulnerability
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: use mockAuthRoutes in e2e tests to work around CI auth infrastructure limitation
Note: This is a pragmatic choice to get CI green. The source code changes
(removing VITE_MOCK_AUTH bypass) are preserved. The e2e tests use mocks
because the CI dev server doesn't have proper Better Auth infrastructure
(database, RESEND_API_KEY, etc.) configured.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: Chris Farhood <chris@farhood.org>
- Override brace-expansion to >=1.1.13 to resolve GHSA-f886-m6hf-6m8v
- Override lodash to >=4.17.24 to resolve GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh
- Override minimatch to ^10.2.4 to maintain compatibility with brace-expansion@5.x
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: CartSnitch Engineer Bot <cartnoreply@cartsnitch.com>
feat(e2e): add J1 and J8 journey tests
- J1: Registration and Login — register flow, validation errors,
sign-in with existing account, nav between pages
- J8: Unauthenticated Access — /, /purchases, /products, /coupons
all redirect to /login when no session
- Enable VITE_MOCK_AUTH in playwright webServer so registration
tests work without a live Better-Auth instance
- Add playwright to devDependencies to ensure CI has the package
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Resolves GHSA-3v7f-55p6-f55p (picomatch ReDoS) and
GHSA-c2c7-rcm5-vvqj (picomatch method injection) flagged by the new
npm audit CI job. Also bump @vitejs/plugin-react to 4.7.0.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
package.json references packages (better-auth@1.5.6, etc.) not present
in the lock file, causing npm ci to fail on CI. Regenerate the lock file
so CI can install dependencies correctly.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Install Mock Service Worker (MSW) and configure it for vitest.
Write one integration test for usePurchases hook using MSW.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The feat/playwright-setup branch added @playwright/test to package.json
but the lockfile was not regenerated, causing npm ci to fail.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
cartsnitch-engineer[bot]
Stockboy Steve