till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-14 19:01:08 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

test(integration): end-to-end auth flow test with Mailpit + CI gating

Browse source 
Adds a 13-step integration test that exercises register → email
verification → login → JWT validation → /me/data → encryption-vault
init/key → logout against a real stack of postgres + redis + mailpit +
mana-auth + mana-notify in docker compose.

Verified locally that this catches every regression we hit on
2026-04-08 in well under a second:

  - missing nanoid dependency → register endpoint 500
  - missing MANA_AUTH_KEK env passthrough → mana-auth never starts
  - missing encryption-vault SQL migrations → vault endpoints 500
  - wrong cookie name in /api/v1/auth/login → no accessToken in response
  - mana-notify SMTP misconfigured → mailpit poll times out

Files:

- docker-compose.test.yml — minimal isolated stack on alt ports
  (postgres 5443, redis 6390, mailpit 1026/8026, mana-auth 3091,
  mana-notify 3092). Runs alongside the dev stack without collision.
  Postgres healthcheck runs a real query rather than just pg_isready
  to avoid the race where pg_isready reports healthy while the docker
  init scripts are still running on a unix socket.

- tests/integration/auth-flow.test.ts — bun test that drives the full
  flow via fetch + mailpit's REST API. Cleans up its test user from
  postgres in afterAll. Self-contained, no extra deps.

- tests/integration/README.md — what's covered, why it exists, how
  to run locally + extend.

- scripts/run-integration-tests.sh — orchestrator. Brings up the
  stack, pushes the @mana/auth Drizzle schema, applies the
  encryption-vault SQL migrations (002, 003), restarts mana-auth so
  it sees the fresh tables, runs the test, tears down on exit.
  KEEP_STACK=1 to leave it up for manual mailpit inspection.

- docker-compose.dev.yml — also adds Mailpit as a regular dev service
  (ports 1025/8025) so local development can have a working email
  capture without spinning up the test stack.

- .github/workflows/ci.yml — new auth-integration job that runs on
  every PR. Calls run-integration-tests.sh; on failure dumps
  mana-auth + mana-notify logs and the mailpit message queue. Marked
  as a required check via the existing PR validation pipeline.

Reproduced 3 clean runs and 1 negative-control run (removed nanoid
from package.json → mana-auth container exits → script aborts with
non-zero) before committing. Full happy path runs in ~22s on a warm
Docker cache.
This commit is contained in:
Till JS 2026-04-08 17:14:02 +02:00
parent 3b41b39a32
commit 5af4ddab3c
7 changed files with 612 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

50
tests/integration/README.md Normal file
View file

@ -0,0 +1,50 @@
# Integration tests
End-to-end tests that exercise real services against real Postgres + Redis + a fake SMTP server (Mailpit), via `docker-compose.test.yml`.
## What's covered
| File | Flow under test |
|------|----------|
| `auth-flow.test.ts` | register → email verification (via Mailpit) → login → JWT validation → `/me/data` → encryption vault init/key → logout |
## Running locally
```bash
./scripts/run-integration-tests.sh
```
That script:
1. Brings up `docker-compose.test.yml` (postgres, redis, mailpit, mana-auth, mana-notify) on isolated ports (`5443`, `6390`, `8026`, `3091`, `3092`)
2. Waits for everything to be healthy
3. Pushes the `@mana/auth` Drizzle schema into the test database
4. Applies the encryption-vault SQL migrations (`002_encryption_vaults.sql`, `003_recovery_wrap.sql`)
5. Runs `bun test auth-flow.test.ts` from this directory
6. Tears the stack down on exit (success or failure)
The whole thing runs in well under a minute on a warm Docker cache.
## Mailpit web UI
While the stack is up you can also browse incoming mail manually at <http://127.0.0.1:8026>.
## Why this exists
Bugs caught by this test the first time it ran:
- `services/mana-auth` imported `nanoid` but didn't declare it in its `package.json``Cannot find package 'nanoid'` at startup, register endpoint 500'd. Local `pnpm install` resolved it transitively via `postcss → nanoid@3.3.11`, an isolated container build couldn't.
- `MANA_AUTH_KEK` was never passed through to the mana-auth container in `docker-compose.macmini.yml`, so the prod service hard-failed at startup with `MANA_AUTH_KEK env var is required in production`.
- The encryption-vault SQL migrations (`002`, `003`) had never been applied to prod Postgres, so any vault endpoint 500'd with `relation "auth.encryption_vaults" does not exist`.
- `/api/v1/auth/login` minted a JWT by reconstructing the session cookie under the wrong name (`mana.session_token` instead of `__Secure-mana.session_token`), so the JWT-mint silently fell through and clients got `accessToken: undefined`.
- mana-notify SMTP credentials were misconfigured against Stalwart, so no verification email actually went out — the failure was buried in mana-notify worker logs and the auth flow appeared to "work" only because the user could be flipped to verified by other means.
Each of those would have been a single red `bun test` run instead of a multi-hour debugging session.
## Adding more flows
Drop another `<name>.test.ts` next to `auth-flow.test.ts` and update `package.json` to include it. Use the same helpers (`postJson`, `waitForMail`, `pgExec`) — they're free to copy.
## CI
The same script runs in `.github/workflows/ci.yml` as a required PR check. Don't bypass it.

237
tests/integration/auth-flow.test.ts Normal file
View file

@ -0,0 +1,237 @@
/**
* End-to-end auth flow integration test.
*
* Spins up nothing on its own assumes the docker-compose.test.yml stack
* is already running. Run via `./scripts/run-integration-tests.sh` which
* brings up the stack, applies the encryption-vault SQL migrations, runs
* this test, then tears the stack down.
*
* What this test covers, in order:
*
* 1. POST /api/v1/auth/register user created
* 2. mana-auth mana-notify mailpit email arrives
* 3. Extract verify URL from email body
* 4. GET <verify URL> email_verified
* 5. POST /api/v1/auth/login JWT minted
* 6. POST /api/v1/auth/validate(JWT) claims valid
* 7. GET /api/v1/me/data user summary
* 8. POST /api/v1/me/encryption-vault/init master key
* 9. GET /api/v1/me/encryption-vault/key unwrap roundtrip
* 10. POST /api/v1/auth/logout success
* 11. (cleanup) DELETE the test user from postgres
*
* Every regression we hit on 2026-04-08 would have been caught here:
* - missing nanoid dep step 1 500
* - missing MANA_AUTH_KEK mana-auth never starts
* - missing encryption_vaults table step 8 500
* - wrong cookie name in /login step 5 no accessToken
* - mana-notify SMTP auth fails step 2 mailpit times out
*/
import { test, expect, beforeAll, afterAll } from 'bun:test';
const AUTH_URL = process.env.AUTH_URL ?? 'http://localhost:3091';
const MAILPIT_URL = process.env.MAILPIT_URL ?? 'http://localhost:8026';
// Postgres connection (for the cleanup step). Reads the env that
// run-integration-tests.sh sets, falls back to the test stack defaults.
const PG_DSN =
process.env.TEST_DATABASE_URL ?? 'postgresql://mana:testpassword@localhost:5443/mana_platform';
// Generated per test run so reruns don't collide.
const TEST_EMAIL = `auth-flow-${Date.now()}@manatest.local`;
const TEST_PASSWORD = 'TestPassword123!';
const TEST_NAME = 'Auth Flow';
let createdUserId: string | null = null;
// ─── Tiny helpers ────────────────────────────────────────────────────
async function postJson<T = unknown>(path: string, body: unknown, headers?: HeadersInit) {
const res = await fetch(`${AUTH_URL}${path}`, {
method: 'POST',
headers: { 'Content-Type': 'application/json', ...headers },
body: JSON.stringify(body),
});
const json = (await res.json().catch(() => ({}))) as T;
return { status: res.status, json };
}
async function getJson<T = unknown>(url: string, headers?: HeadersInit) {
const res = await fetch(url, { headers });
const json = (await res.json().catch(() => ({}))) as T;
return { status: res.status, json };
}
async function waitForMail(to: string, timeoutMs = 15000): Promise<{ html: string; text: string }> {
const deadline = Date.now() + timeoutMs;
while (Date.now() < deadline) {
const list = await fetch(
`${MAILPIT_URL}/api/v1/search?query=${encodeURIComponent(`to:${to}`)}`
);
if (list.ok) {
const data = (await list.json()) as { messages?: Array<{ ID: string }> };
if (data.messages && data.messages.length > 0) {
const id = data.messages[0].ID;
const full = await fetch(`${MAILPIT_URL}/api/v1/message/${id}`);
if (full.ok) {
const msg = (await full.json()) as { HTML?: string; Text?: string };
return { html: msg.HTML ?? '', text: msg.Text ?? '' };
}
}
}
await new Promise((r) => setTimeout(r, 250));
}
throw new Error(`No email to ${to} arrived within ${timeoutMs}ms`);
}
function extractVerifyUrl(html: string): string {
// Better Auth's verify URL is /api/auth/verify-email?token=...&callbackURL=...
// We allow either http://mana-auth:3001 or http://localhost:3091 since the
// test runs against the host but mana-auth's BASE_URL might be either.
const match = html.match(/https?:\/\/[^\s"'<>]+\/api\/auth\/verify-email\?[^\s"'<>]+/);
if (!match) throw new Error(`No verify URL found in email body: ${html.slice(0, 200)}`);
return match[0];
}
async function pgExec(sql: string): Promise<string> {
// Shell out to docker exec rather than pulling in a postgres client lib —
// the test container is the only place this runs and it has docker.
const proc = Bun.spawn(
[
'docker',
'exec',
'mana-test-postgres',
'psql',
'-U',
'mana',
'-d',
'mana_platform',
'-t',
'-A',
'-c',
sql,
],
{ stdout: 'pipe', stderr: 'pipe' }
);
const out = await new Response(proc.stdout).text();
const err = await new Response(proc.stderr).text();
const code = await proc.exited;
if (code !== 0) throw new Error(`psql failed (${code}): ${err}`);
return out.trim();
}
// ─── Cleanup at the end so failed runs don't leak ────────────────────
afterAll(async () => {
if (!createdUserId) return;
try {
await pgExec(
`DELETE FROM auth.encryption_vault_audit WHERE user_id = '${createdUserId}';
DELETE FROM auth.encryption_vaults WHERE user_id = '${createdUserId}';
DELETE FROM auth.users WHERE id = '${createdUserId}';`
);
} catch (err) {
console.warn('cleanup failed:', err);
}
});
// ─── The test ────────────────────────────────────────────────────────
test('full register → verify → login → vault → logout flow', async () => {
// 1. Register
const reg = await postJson<{ user?: { id: string } }>('/api/v1/auth/register', {
email: TEST_EMAIL,
password: TEST_PASSWORD,
name: TEST_NAME,
});
expect(reg.status).toBe(200);
expect(reg.json.user?.id).toBeTruthy();
createdUserId = reg.json.user!.id;
// 2. Wait for the verification email to land in mailpit
const mail = await waitForMail(TEST_EMAIL);
expect(mail.html.length).toBeGreaterThan(0);
// 3. Extract the verify URL
const verifyUrl = extractVerifyUrl(mail.html);
// 4. Hit the verify URL. Better Auth issues a 302 redirect on success.
// Use manual redirect handling so we can assert the redirect itself.
//
// Sometimes Better Auth's verify URL points at the internal docker
// hostname `http://mana-auth:3001/...`. Rewrite that to the host-bound
// port so we can actually reach it from outside the docker network.
const reachableVerifyUrl = verifyUrl.replace('http://mana-auth:3001', AUTH_URL);
const verifyRes = await fetch(reachableVerifyUrl, { redirect: 'manual' });
expect([200, 302, 303]).toContain(verifyRes.status);
// Belt-and-suspenders: confirm the DB row actually flipped.
const verified = await pgExec(
`SELECT email_verified FROM auth.users WHERE id = '${createdUserId}';`
);
expect(verified).toBe('t');
// 5. Login. Expect accessToken (the JWT) and refreshToken (the session token).
const login = await postJson<{
user?: { id: string };
accessToken?: string;
refreshToken?: string;
}>('/api/v1/auth/login', {
email: TEST_EMAIL,
password: TEST_PASSWORD,
});
expect(login.status).toBe(200);
expect(login.json.user?.id).toBe(createdUserId);
expect(login.json.accessToken).toBeTruthy();
expect(login.json.accessToken!.split('.').length).toBe(3); // JWT has 3 segments
expect(login.json.refreshToken).toBeTruthy();
const jwt = login.json.accessToken!;
// 6. Validate the JWT against the same service that minted it
const validate = await postJson<{ valid: boolean; payload?: { sub: string; email: string } }>(
'/api/v1/auth/validate',
{ token: jwt }
);
expect(validate.status).toBe(200);
expect(validate.json.valid).toBe(true);
expect(validate.json.payload?.sub).toBe(createdUserId);
expect(validate.json.payload?.email).toBe(TEST_EMAIL);
// 7. /me/data round-trip — exercises JWT auth middleware end-to-end
const me = await getJson<{ user?: { id: string; email: string } }>(`${AUTH_URL}/api/v1/me/data`, {
Authorization: `Bearer ${jwt}`,
});
expect(me.status).toBe(200);
expect(me.json.user?.id).toBe(createdUserId);
// 8. Encryption vault init — exercises nanoid + MANA_AUTH_KEK + the
// auth.encryption_vaults / auth.encryption_vault_audit tables
const vaultInit = await postJson<{ masterKey?: string; kekId?: string; formatVersion?: number }>(
'/api/v1/me/encryption-vault/init',
{},
{ Authorization: `Bearer ${jwt}` }
);
expect(vaultInit.status).toBe(200);
expect(vaultInit.json.masterKey).toBeTruthy();
expect(vaultInit.json.formatVersion).toBe(1);
expect(vaultInit.json.kekId).toBeTruthy();
const mintedKey = vaultInit.json.masterKey!;
// 9. Vault key retrieval — should return the same master key
const vaultKey = await getJson<{ masterKey?: string }>(
`${AUTH_URL}/api/v1/me/encryption-vault/key`,
{ Authorization: `Bearer ${jwt}` }
);
expect(vaultKey.status).toBe(200);
expect(vaultKey.json.masterKey).toBe(mintedKey);
// 10. Logout
const logout = await postJson<{ success?: boolean }>(
'/api/v1/auth/logout',
{},
{ Authorization: `Bearer ${jwt}` }
);
expect(logout.status).toBe(200);
expect(logout.json.success).toBe(true);
});

9
tests/integration/package.json Normal file
View file

@ -0,0 +1,9 @@
{
"name": "@mana/integration-tests",
"version": "0.0.0",
"private": true,
"type": "module",
"scripts": {
"test": "bun test auth-flow.test.ts"
}
}