feat: add Playwright e2e test for OAuth magic link flow

mroderick · mroderick · commit 215a38db9f4d · 2026-06-21T23:32:48.000+02:00
Add a headless browser test that exercises the full OAuth 2.1 flow:
  unauthenticated authorize -&gt; login -&gt; magic link -&gt; verify -&gt; authorize -&gt; code

- Capture magic links in dev via devMagicLinks store when SENDGRID_API_KEY
  is not set
- Expose /api/test/magic-links GET/DELETE endpoints for tests to read/clear
  captured links (dev-only, not available in production)
- Use APIRequestContext for magic link verification so cookies are handled
  automatically across requests
- Add e2e job to CI that runs after unit tests, using chromium-headless-shell
  for a smaller Playwright download
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,7 +1,10 @@
 name: ci
 
 on:
+  push:
+    branches: [main]
   pull_request:
+    branches: [main]
 
 env:
   HUSKY: 0
@@ -15,28 +18,31 @@ jobs:
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
-          fetch-depth: 0
           persist-credentials: false
+          fetch-depth: 0
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version-file: ".nvmrc"
-
-      - name: Install commitlint
-        run: npm install -D @commitlint/cli @commitlint/config-conventional
-      - name: Print versions
-        run: |
-          git --version
-          node --version
-          npm --version
-          npx commitlint --version
-
-      - name: Validate current commit (last commit) with commitlint
+      - run: npm ci
+      - run: npx commitlint --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} --verbose
+        if: github.event_name == 'pull_request'
+      - run: npx commitlint --from ${{ github.event.before }} --to ${{ github.event.after }} --verbose
         if: github.event_name == 'push'
-        run: npx commitlint --last --verbose
 
-      - name: Validate PR commits with commitlint
-        if: github.event_name == 'pull_request'
-        run: npx commitlint --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} --verbose
+  smoke:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version-file: ".nvmrc"
+      - run: npm ci
+      - run: |
+          npm run prettier:check
+          npm run lint
+          npm run fallow
 
   check-workflows:
     permissions:
@@ -53,39 +59,51 @@ jobs:
       - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
 
   shellcheck:
-    needs:
-      - commitlint
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
-      - name: Run shellcheck
-        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
-        with:
-          severity: warning
+      - run: shellcheck scripts/*.sh
 
-  smoke:
-    needs:
-      - commitlint
+  test:
     runs-on: ubuntu-latest
+
+    services:
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_USER: authuser
+          POSTGRES_PASSWORD: authpass
+          POSTGRES_DB: authdb
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
+
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
-          fetch-depth: 0
           persist-credentials: false
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version-file: ".nvmrc"
       - run: npm ci
-      - run: |
-          npm run prettier:check
-          npm run lint
-          npm run fallow
+      - run: npm run db:generate
+      - run: npm run db:migrate
+      - run: npm test
 
-  test:
+    env:
+      DATABASE_URL: postgres://authuser:authpass@localhost:5432/authdb
+      GITHUB_CLIENT_ID: dummy-id-for-testing
+      GITHUB_CLIENT_SECRET: dummy-secret-for-testing
+
+  e2e:
     needs:
-      - commitlint
+      - test
     runs-on: ubuntu-latest
 
     services:
@@ -111,9 +129,18 @@ jobs:
         with:
           node-version-file: ".nvmrc"
       - run: npm ci
+      - run: npx playwright install chromium-headless-shell
       - run: npm run db:generate
       - run: npm run db:migrate
-      - run: npm test -- --disable-coverage
+      - run: node scripts/migrate.js
+      - run: |
+          node src/index.js > server.log 2>&1 &
+          for i in {1..30}; do
+            curl -sf 'http://127.0.0.1:3001/health?type=startup' && break
+            sleep 1
+          done
+          cat server.log
+          npx playwright test
 
     env:
       DATABASE_URL: postgres://authuser:authpass@localhost:5432/authdb
diff --git a/.gitignore b/.gitignore
@@ -34,6 +34,7 @@ lerna-debug.log*
 # test coverage and tap
 coverage/
 .tap/
+test-results/
 
 # worktrees
 .worktrees/
diff --git a/e2e/oauth-flow.spec.js b/e2e/oauth-flow.spec.js
@@ -0,0 +1,68 @@
+import { test, expect } from "@playwright/test";
+import { AUTH_DEFAULT_PORT, PLANNER_DEFAULT_PORT } from "../src/config.js";
+
+const authBase = `http://localhost:${AUTH_DEFAULT_PORT}`;
+
+test("OAuth 2.1 magic link flow", async ({ page, request }) => {
+  const email = `e2e-${Date.now()}@example.com`;
+
+  // Clear any stale magic links
+  await request.delete(`${authBase}/api/test/magic-links`);
+
+  // Start OAuth flow: unauthenticated user hits authorize endpoint with PKCE
+  const codeChallenge = "MJk6-W6P2z_PgOvWcEvbyqeIyc-GthZov8-QX37r0Vo";
+  const authorizeParams = new URLSearchParams({
+    client_id: "planner",
+    redirect_uri: `http://localhost:${PLANNER_DEFAULT_PORT}/auth/codebar/callback`,
+    response_type: "code",
+    state: "e2e-state-123",
+    scope: "openid profile",
+    code_challenge: codeChallenge,
+    code_challenge_method: "S256",
+  });
+  await page.goto(
+    `${authBase}/api/auth/oauth2/authorize?${authorizeParams.toString()}`,
+  );
+
+  // OAuth provider redirects unauthenticated users to the login page
+  await expect(page).toHaveURL(/\/login/);
+
+  // Click through to the magic link form
+  await page.getByRole("button", { name: /Send Magic Link/i }).click();
+  await expect(page).toHaveURL(/\/login\/magic-link/);
+
+  // Submit email
+  await page.fill('input[name="email"]', email);
+  await page.click('button[type="submit"]');
+
+  // Success page is shown
+  await expect(page).toHaveURL(/\/login\/magic-link\?success=/);
+  await expect(page.locator("body")).toContainText("Magic link sent");
+
+  // Fetch the magic link from the auth dev endpoint
+  const linksRes = await request.get(`${authBase}/api/test/magic-links`);
+  const links = await linksRes.json();
+  const link = links.find((l) => l.email === email);
+  expect(link).toBeDefined();
+  expect(link.url).toMatch(/magic-link\/verify/);
+
+  // Call the magic link verify endpoint via API to establish a session.
+  // APIRequestContext automatically stores and sends cookies across requests.
+  const verifyRes = await request.get(link.url, { maxRedirects: 0 });
+  expect(verifyRes.status()).toBe(302);
+  const verifyLocation = verifyRes.headers()["location"];
+  expect(verifyLocation).toContain("/api/auth/oauth2/authorize");
+
+  // Call the authorize endpoint with the session cookie (don't follow redirects)
+  const authRes = await request.get(
+    `${authBase}/api/auth/oauth2/authorize?${authorizeParams.toString()}`,
+    { maxRedirects: 0 },
+  );
+
+  // Should get a 302 redirect to the planner callback with the code
+  expect(authRes.status()).toBe(302);
+  const location = authRes.headers()["location"];
+  expect(location).toBeTruthy();
+  expect(location).toContain("code=");
+  expect(location).toContain("state=e2e-state-123");
+});
diff --git a/package.json b/package.json
@@ -20,7 +20,8 @@
     "test:pg:start": "scripts/container.sh start",
     "test:pg:stop": "scripts/container.sh stop",
     "test:pg:status": "scripts/container.sh status",
-    "test:coverage": "tap --coverage-report=html"
+    "test:coverage": "tap --coverage-report=html",
+    "e2e": "playwright test"
   },
   "dependencies": {
     "@better-auth/oauth-provider": "^1.6.20",
@@ -42,6 +43,7 @@
     "@commitlint/cli": "^21.0.2",
     "@commitlint/config-conventional": "^21.0.2",
     "@eslint/js": "^10.0.1",
+    "@playwright/test": "^1.61.0",
     "eslint": "^10.4.1",
     "fallow": "^2.92.1",
     "globals": "^17.6.0",
diff --git a/playwright.config.js b/playwright.config.js
@@ -0,0 +1,17 @@
+import { defineConfig, devices } from "@playwright/test";
+
+export default defineConfig({
+  testDir: "./e2e",
+  fullyParallel: false,
+  workers: 1,
+  use: {
+    baseURL: "http://127.0.0.1:3001",
+    trace: "on-first-retry",
+  },
+  projects: [
+    {
+      name: "chromium",
+      use: { ...devices["Desktop Chrome"], headless: true },
+    },
+  ],
+});
diff --git a/src/app/app.js b/src/app/app.js
@@ -3,6 +3,7 @@ import { pinoLogger } from "hono-pino";
 import { serveStatic } from "@hono/node-server/serve-static";
 
 import { db } from "../auth.js";
+import { devMagicLinks } from "../dev/magic-links.js";
 import authHandler from "./routes/auth.js";
 import healthHandler from "./routes/health.js";
 import homeHandler from "./routes/home.js";
@@ -106,6 +107,15 @@ export function createApp(auth, injectedDb) {
 
   app.route("/demo", demoHandler);
 
+  // Dev-only endpoint for Playwright tests to retrieve captured magic links
+  if (process.env.NODE_ENV !== "production") {
+    app.get("/api/test/magic-links", (c) => c.json(devMagicLinks));
+    app.delete("/api/test/magic-links", (c) => {
+      devMagicLinks.length = 0;
+      return c.json({ cleared: true });
+    });
+  }
+
   // serve assets, etc.
   app.use("/static/*", serveStatic({ root: "./" }));
 
diff --git a/src/auth.js b/src/auth.js
@@ -3,6 +3,7 @@ import { betterAuth } from "better-auth";
 import { admin, magicLink, jwt } from "better-auth/plugins";
 import { oauthProvider } from "@better-auth/oauth-provider";
 import appConfig from "./config.js";
+import { devMagicLinks } from "./dev/magic-links.js";
 
 // PostgreSQL connection pool for CI/production and local dev
 // SSL only for non-local connections (Heroku requires it; local/CI does not)
@@ -69,6 +70,11 @@ export const auth = betterAuth({
 
         if (!apiKey) {
           console.log(`Magic Link for ${email}: ${url}`);
+          devMagicLinks.push({
+            email,
+            url,
+            createdAt: new Date().toISOString(),
+          });
           return;
         }
 
