Add integration + Playwright smoke suite for post-deploy QA validation

Existing coverage was one integration test and zero e2e tests. Adds the thin,
high-value integration/e2e layer unit tests can't reach (real Postgres wire
contract, real browser flows) and wires it as a post-deploy smoke gate.

- Seed a deterministic dev/QA admin user and fixed Development env key so
  HTTP-only tests can authenticate without per-run registration.
- Expand the API integration suite: disabled-flag, unauthorized access,
  environment-document bootstrap, identity-override precedence, and auth
  login scenarios, reusing the existing black-box HTTP+Npgsql harness.
- Add a Playwright suite for the admin SPA: login, nav, project/environment
  context selection, and feature create/toggle, against the real API.
- Bind QA Postgres to 127.0.0.1 for direct seeding, add smoke-qa.sh and an
  ensure_node() bootstrap (the qa runner has no Node today), and wire a new
  smoke-qa CI job after deploy-qa.
This commit is contained in:
2026-07-04 17:28:13 -07:00
parent 1b2ce263e5
commit 8fc0ebb724
28 changed files with 1164 additions and 6 deletions

View File

@@ -0,0 +1,55 @@
using MicCheck.Api.Tests.Integration.Common;
using Microsoft.AspNetCore.Identity;
namespace MicCheck.Api.Tests.Integration.Auth;
/// <summary>
/// A stand-in for the real API's <c>User</c> type: <see cref="PasswordHasher{TUser}"/> only uses
/// it as a type parameter (it doesn't inspect the instance), so any reference type works. Keeps
/// this project a true black box with no <c>ProjectReference</c> to the API.
/// </summary>
public class HashedUser;
public sealed record AuthSeed(int OrganizationId, int UserId, string Email, string Password)
{
public static async Task<AuthSeed> InsertAsync(TestDatabase db, string testRunTag, string password)
{
var rawUnique = $"{testRunTag}-{Guid.NewGuid():N}";
var unique = rawUnique[..Math.Min(rawUnique.Length, 40)];
var email = $"{unique}@integration.test";
var now = DateTimeOffset.UtcNow;
var passwordHash = new PasswordHasher<HashedUser>().HashPassword(new HashedUser(), password);
var organizationId = await db.ExecuteScalarAsync<int>(
"INSERT INTO \"Organizations\" (\"Name\", \"CreatedAt\") VALUES (@name, @createdAt) RETURNING \"Id\"",
("name", $"org_{unique}"),
("createdAt", now));
var userId = await db.ExecuteScalarAsync<int>(
"""
INSERT INTO "Users" ("Email", "PasswordHash", "FirstName", "LastName", "IsActive", "IsTwoFactorEnabled", "CreatedAt")
VALUES (@email, @passwordHash, 'Integration', 'Test', true, false, @createdAt)
RETURNING "Id"
""",
("email", email),
("passwordHash", passwordHash),
("createdAt", now));
await db.ExecuteAsync(
"""
INSERT INTO "OrganizationUsers" ("OrganizationId", "UserId", "Role", "IsPrimary")
VALUES (@orgId, @userId, 1, true)
""",
("orgId", organizationId),
("userId", userId));
return new AuthSeed(organizationId, userId, email, password);
}
public async Task CleanupAsync(TestDatabase db)
{
await db.ExecuteAsync("DELETE FROM \"Users\" WHERE \"Id\" = @userId", ("userId", UserId));
await db.ExecuteAsync("DELETE FROM \"Organizations\" WHERE \"Id\" = @orgId", ("orgId", OrganizationId));
}
}

View File

@@ -0,0 +1,95 @@
using System.Text.Json;
using MicCheck.Api.Tests.Integration.Common;
using NUnit.Framework;
namespace MicCheck.Api.Tests.Integration.Auth;
[TestFixture]
public class AuthTests
{
private const string Password = "Integration!Test123";
private IntegrationTestSettings settings = null!;
private TestDatabase db = null!;
private FlagApiHttpClient client = null!;
private AuthSeed? seed;
[OneTimeSetUp]
public void OneTimeSetUp()
{
settings = IntegrationTestSettings.Load();
db = new TestDatabase(settings.DbConnectionString);
client = new FlagApiHttpClient(settings);
}
[OneTimeTearDown]
public void OneTimeTearDown() => client.Dispose();
[SetUp]
public async Task SetUp()
=> seed = await AuthSeed.InsertAsync(db, testRunTag: "Auth", password: Password);
[TearDown]
public async Task TearDown()
{
if (seed is not null)
{
await seed.CleanupAsync(db);
seed = null;
}
}
[Test]
public async Task WhenValidCredentialsAreSubmitted_ThenLoginReturnsAnAccessToken()
{
var current = seed!;
using var response = await client.SendAsync(
httpFile: "Auth.http",
requestName: "Login",
variables: new Dictionary<string, string>
{
["baseUrl"] = settings.BaseUrl,
["email"] = current.Email,
["password"] = current.Password
});
var body = await response.Content.ReadAsStringAsync();
Assert.That(
response.IsSuccessStatusCode,
Is.True,
$"POST /api/v1/auth/login returned {(int)response.StatusCode} {response.ReasonPhrase} for a valid seeded user. Body: {body}");
var login = JsonSerializer.Deserialize<LoginResponseDto>(body, JsonOptions)
?? throw new InvalidOperationException("Response body was not the expected login shape.");
Assert.That(login.AccessToken, Is.Not.Null.And.Not.Empty);
Assert.That(login.RefreshToken, Is.Not.Null.And.Not.Empty);
}
[Test]
public async Task WhenAnIncorrectPasswordIsSubmitted_ThenLoginIsUnauthorized()
{
var current = seed!;
using var response = await client.SendAsync(
httpFile: "Auth.http",
requestName: "Login",
variables: new Dictionary<string, string>
{
["baseUrl"] = settings.BaseUrl,
["email"] = current.Email,
["password"] = "definitely-the-wrong-password"
});
Assert.That(
(int)response.StatusCode,
Is.EqualTo(401),
$"Expected 401 for an incorrect password, got {(int)response.StatusCode} {response.ReasonPhrase}.");
}
private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web);
private sealed record LoginResponseDto(string AccessToken, string RefreshToken, DateTime ExpiresAt);
}