From 00c270b0d453f09505428e8f0f66ef9f667c1c2f Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.com>
Date: Sat, 21 Mar 2026 20:55:44 +0000
Subject: [PATCH] fix: use token auth in E2E workflow, handle direct /token
 redirect
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The E2E Headlamp instance is deployed without OIDC configuration, so
Headlamp redirects / → /token directly instead of / → /login. The
authenticateWithToken function was hardcoded to expect /login first,
causing a 60s timeout on every run.

- e2e.yaml: remove unused Setup Helm step (deploy script uses kubectl)
- e2e.yaml: remove AUTHENTIK_USERNAME/PASSWORD (no OIDC in E2E instance)
- auth.setup.ts: waitForURL accepts both /login and /token; only clicks
  "use a token" if landed on /login (OIDC-configured Headlamp)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/e2e.yaml |  5 -----
 e2e/auth.setup.ts          | 13 ++++++++-----
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index aa50bfa..a28cb07 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -32,9 +32,6 @@ jobs:
       - name: Setup kubectl
         uses: azure/setup-kubectl@v4
 
-      - name: Setup Helm
-        uses: azure/setup-helm@v4
-
       - name: Install dependencies
         run: npm ci
 
@@ -61,8 +58,6 @@ jobs:
         env:
           HEADLAMP_URL: ${{ env.HEADLAMP_URL }}
           HEADLAMP_TOKEN: ${{ env.HEADLAMP_TOKEN }}
-          AUTHENTIK_USERNAME: ${{ secrets.AUTHENTIK_USERNAME }}
-          AUTHENTIK_PASSWORD: ${{ secrets.AUTHENTIK_PASSWORD }}
 
       - name: Teardown E2E instance
         if: always()
diff --git a/e2e/auth.setup.ts b/e2e/auth.setup.ts
index 817f003..2bc6d1d 100644
--- a/e2e/auth.setup.ts
+++ b/e2e/auth.setup.ts
@@ -39,13 +39,16 @@ async function authenticateWithOIDC(page: Page, username: string, password: stri
 }
 
 async function authenticateWithToken(page: Page, token: string): Promise<void> {
-  // Navigate to login — Headlamp redirects / to /c/main/login
   await page.goto('/');
-  await page.waitForURL('**/login');
+  // Headlamp goes to /token directly when no OIDC is configured,
+  // or through /login when OIDC is configured
+  await page.waitForURL(/\/(login|token)$/);
 
-  // Click the token auth option
-  await page.getByRole('button', { name: /use a token/i }).click();
-  await page.waitForURL('**/token');
+  if (page.url().includes('/login')) {
+    // OIDC login page — click "use a token" to reach token auth
+    await page.getByRole('button', { name: /use a token/i }).click();
+    await page.waitForURL('**/token');
+  }
 
   // Fill the "ID token" field and submit
   await page.getByRole('textbox', { name: /id token/i }).fill(token);