test: add comprehensive test suite (Go unit/integration, Vitest, Playwright E2E)

- Add JWT middleware unit tests (8 tests covering all auth edge cases)
- Add WebSocket hub tests (5 tests for client lifecycle and broadcast)
- Add full HTTP integration tests (12 tests through real Chi router with DB)
- Add frontend component tests for login, issues, and issue detail pages
- Add auth context unit tests (9 tests for login/logout/name resolution)
- Add Playwright E2E tests for auth, issues, comments, and navigation
- Configure Vitest with jsdom, React plugin, and path aliases

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/internal/middleware/auth_test.go

@@ -0,0 +1,185 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+func generateToken(claims jwt.MapClaims, secret []byte) string {
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	s, _ := token.SignedString(secret)
+	return s
+}
+
+func validClaims() jwt.MapClaims {
+	return jwt.MapClaims{
+		"sub":   "test-user-id",
+		"email": "test@multica.ai",
+		"exp":   time.Now().Add(time.Hour).Unix(),
+	}
+}
+
+func TestAuth_MissingHeader(t *testing.T) {
+	handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("next handler should not be called")
+	}))
+
+	req := httptest.NewRequest("GET", "/api/me", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusUnauthorized {
+		t.Fatalf("expected 401, got %d", w.Code)
+	}
+	if body := w.Body.String(); body != `{"error":"missing authorization header"}`+"\n" {
+		t.Fatalf("unexpected body: %s", body)
+	}
+}
+
+func TestAuth_NoBearerPrefix(t *testing.T) {
+	handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("next handler should not be called")
+	}))
+
+	req := httptest.NewRequest("GET", "/api/me", nil)
+	req.Header.Set("Authorization", "Token some-token")
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusUnauthorized {
+		t.Fatalf("expected 401, got %d", w.Code)
+	}
+	if body := w.Body.String(); body != `{"error":"invalid authorization format"}`+"\n" {
+		t.Fatalf("unexpected body: %s", body)
+	}
+}
+
+func TestAuth_InvalidToken(t *testing.T) {
+	handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("next handler should not be called")
+	}))
+
+	req := httptest.NewRequest("GET", "/api/me", nil)
+	req.Header.Set("Authorization", "Bearer not-a-valid-jwt")
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusUnauthorized {
+		t.Fatalf("expected 401, got %d", w.Code)
+	}
+}
+
+func TestAuth_ExpiredToken(t *testing.T) {
+	handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("next handler should not be called")
+	}))
+
+	claims := validClaims()
+	claims["exp"] = time.Now().Add(-time.Hour).Unix()
+	token := generateToken(claims, jwtSecret)
+
+	req := httptest.NewRequest("GET", "/api/me", nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusUnauthorized {
+		t.Fatalf("expected 401, got %d", w.Code)
+	}
+}
+
+func TestAuth_WrongSecret(t *testing.T) {
+	handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("next handler should not be called")
+	}))
+
+	token := generateToken(validClaims(), []byte("wrong-secret"))
+
+	req := httptest.NewRequest("GET", "/api/me", nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusUnauthorized {
+		t.Fatalf("expected 401, got %d", w.Code)
+	}
+}
+
+func TestAuth_WrongSigningMethod(t *testing.T) {
+	handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("next handler should not be called")
+	}))
+
+	// Use "none" signing method
+	token := jwt.NewWithClaims(jwt.SigningMethodNone, validClaims())
+	s, _ := token.SignedString(jwt.UnsafeAllowNoneSignatureType)
+
+	req := httptest.NewRequest("GET", "/api/me", nil)
+	req.Header.Set("Authorization", "Bearer "+s)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusUnauthorized {
+		t.Fatalf("expected 401, got %d", w.Code)
+	}
+}
+
+func TestAuth_ValidToken(t *testing.T) {
+	var gotUserID, gotEmail string
+	handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		gotUserID = r.Header.Get("X-User-ID")
+		gotEmail = r.Header.Get("X-User-Email")
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	token := generateToken(validClaims(), jwtSecret)
+
+	req := httptest.NewRequest("GET", "/api/me", nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+	if gotUserID != "test-user-id" {
+		t.Fatalf("expected X-User-ID 'test-user-id', got '%s'", gotUserID)
+	}
+	if gotEmail != "test@multica.ai" {
+		t.Fatalf("expected X-User-Email 'test@multica.ai', got '%s'", gotEmail)
+	}
+}
+
+func TestAuth_MissingClaims(t *testing.T) {
+	var gotUserID, gotEmail string
+	handler := Auth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		gotUserID = r.Header.Get("X-User-ID")
+		gotEmail = r.Header.Get("X-User-Email")
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// Token with no sub or email claims, only exp
+	claims := jwt.MapClaims{
+		"exp": time.Now().Add(time.Hour).Unix(),
+	}
+	token := generateToken(claims, jwtSecret)
+
+	req := httptest.NewRequest("GET", "/api/me", nil)
+	req.Header.Set("Authorization", "Bearer "+token)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d", w.Code)
+	}
+	if gotUserID != "" {
+		t.Fatalf("expected empty X-User-ID, got '%s'", gotUserID)
+	}
+	if gotEmail != "" {
+		t.Fatalf("expected empty X-User-Email, got '%s'", gotEmail)
+	}
+}