fix(e2e): comment out Turnstile keys in .env.local (PP-uc8 redesign)#1283
fix(e2e): comment out Turnstile keys in .env.local (PP-uc8 redesign)#1283timothyfroehlich wants to merge 4 commits intomainfrom
.env.local (PP-uc8 redesign)#1283Conversation
playwright.config.ts webServer.env only forwarded PORT and MOCK_BLOB_STORAGE to the dev server it spawns. The dev server therefore inherited whatever Turnstile keys .env.local had, which made the login form's enforceCaptcha check (`hasTurnstile && NODE_ENV !== "test"`) evaluate true and required agents to manually clear the env vars before running E2E. Now passing empty NEXT_PUBLIC_TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY through webServer.env activates the existing graceful-bypass logic: - Client: TurnstileWidget returns null when site key is empty, so the form doesn't enforce a token. - Server: verifyTurnstileToken returns true in non-prod when the secret key is missing, so submission succeeds. No new logic — only plumbing the existing bypass through to the spawned dev server. Production unaffected (real keys still apply outside Playwright). Refs PP-2on (epic). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
There was a problem hiding this comment.
Pull request overview
This PR attempts to disable Turnstile for the dev server that Playwright uses during E2E runs, so local test runs are not blocked by real CAPTCHA keys in .env.local.
Changes:
- Adds empty
NEXT_PUBLIC_TURNSTILE_SITE_KEYandTURNSTILE_SECRET_KEYvalues toplaywright.config.tswebServer.env. - Documents that these empty values are intended to trigger the app’s existing Turnstile bypass behavior in test/dev contexts.
| NEXT_PUBLIC_TURNSTILE_SITE_KEY: "", | ||
| TURNSTILE_SECRET_KEY: "", |
| // trip the existing graceful-bypass logic in src/lib/security/turnstile.ts | ||
| // (server) and src/components/security/TurnstileWidget.tsx (client) so | ||
| // tests do not need to manually clear these env vars. | ||
| NEXT_PUBLIC_TURNSTILE_SITE_KEY: "", | ||
| TURNSTILE_SECRET_KEY: "", |
….env.local (PP-uc8) - Add dev:e2e script that sources .env.local then re-exports empty NEXT_PUBLIC_TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY, so real keys from .env.local cannot clobber the bypass (Copilot #1 on playwright.config.ts:122) - Change playwright.config.ts webServer.command from dev to dev:e2e - Remove now-redundant Turnstile vars from webServer.env (the script handles it) - Update PR description with reuseExistingServer caveat for local dev workflows (Copilot #2 on playwright.config.ts:122) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Re: Copilot's two unresolved threads on
|
timothyfroehlich
added
the
ready-for-review
The previous approach added a dev:e2e npm script that overrode .env.local after sourcing it. This solved E2E but left local dev with the wrong default — the Turnstile widget rendered on every form (with a Cloudflare round-trip) for no real value. New approach: scripts/worktree_setup.py writes the Turnstile keys commented-out by default, so .env.local has them visible as opt-in documentation but inactive. The application code already handles unset/empty correctly: - TurnstileWidget renders nothing if siteKey is falsy - verifyTurnstileToken returns true (skip) in non-prod if secretKey is falsy To test CAPTCHA UI locally: chmod 644 .env.local # uncomment the two TURNSTILE_* lines chmod 444 .env.local The TURNSTILE_TEST_SECRET carveout in turnstile.ts is preserved — it now protects the explicit opt-in path (developer uncomments keys to debug CAPTCHA in headless mode where the widget JS may not complete). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
timothyfroehlich
changed the title
.env.local (PP-uc8 redesign)
Summary
The original PR's
dev:e2escript approach was solving the right problem (Turnstile bypass for E2E) in the wrong place. It added a separate npm script that overrode.env.localvars after sourcing, which worked for Playwright's webServer but left local dev with the wrong default — the Turnstile widget still rendered when usingnext devdirectly, Storybook, or any other tool.New approach:
scripts/worktree_setup.pynow writes the Turnstile keys commented-out in.env.local. They're visible as opt-in documentation but inactive by default.How it works
The application already handles unset keys gracefully:
TurnstileWidgetrenders nothing ifsiteKeyis falsyverifyTurnstileTokenreturnstrue(skip) in non-prod ifsecretKeyis falsySo absent keys = bypass, uniformly across all dev tools (next dev, Playwright webServer, Storybook, etc.). No special scripts needed.
To test CAPTCHA UI locally (opt-in)
chmod 644 .env.local # uncomment the two TURNSTILE_* lines chmod 444 .env.localThe
TURNSTILE_TEST_SECRETcarveout inturnstile.tsis preserved — it now protects the explicit opt-in path (developer uncomments the keys to test CAPTCHA in headless mode where the widget JS may not complete).E2E benefits
playwright.config.tsuses plainpnpm run dev(reverted fromdev:e2e)dev:e2escript removed entirelyChanges
scripts/worktree_setup.py: Turnstile lines written commented-out with opt-in docsscripts/tests/test_worktree_setup.py: New test asserting keys appear as# KEY=valueplaywright.config.ts: webServer command reverted topnpm run devpackage.json:dev:e2escript removed.env.localfiles updated (Turnstile lines commented out, chmod 444 restored)