marketing-shibata50/multica
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
multica/e2e/fixtures.ts
LinYushen 5c9c2f69fd
feat(auth): email verification login and personal access tokens 
* feat(auth): add email verification login flow with 401 auto-redirect

Replace the old OAuth-based login with email verification codes:
- Backend: send-code / verify-code endpoints, verification_codes table (migration 009), rate limiting, Resend email service
- Frontend: two-step login UI (email → 6-digit OTP), auth store with sendCode/verifyCode
- SDK: ApiClient gains onUnauthorized callback; 401 responses auto-clear token and redirect to /login
- Fix login button staying disabled due to global isLoading state

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(auth): add brute-force protection, redirect loop guard, and expired code cleanup

- VerifyCode: increment attempts on wrong code, reject after 5 failed tries (migration 010)
- onUnauthorized: skip redirect if already on /login to prevent infinite loops
- SendCode: best-effort cleanup of expired verification codes older than 1 hour

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat(auth): add master verification code for non-production environments

Allow code "888888" to bypass email verification in non-production
environments to simplify development and testing workflows.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat(auth): add personal access tokens for CLI and API authentication

Add full-stack PAT support: users create tokens in Settings, CLI authenticates
via `multica auth login`. Server stores SHA-256 hashes only. Auth middleware
extended to accept both JWTs and PATs (distinguished by `mul_` prefix).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 14:32:30 +08:00

150 lines
4.4 KiB
TypeScript
Raw Blame History

/**
* TestApiClient — lightweight API helper for E2E test data setup/teardown.
*
* Uses raw fetch (no dependency on @multica/sdk build) so E2E tests
* have zero build-time coupling to monorepo packages.
*/
import pg from "pg";
const API_BASE = process.env.NEXT_PUBLIC_API_URL ?? `http://localhost:${process.env.PORT ?? "8080"}`;
const DATABASE_URL = process.env.DATABASE_URL ?? "postgres://multica:multica@localhost:5432/multica?sslmode=disable";
interface TestWorkspace {
id: string;
name: string;
slug: string;
}
export class TestApiClient {
private token: string | null = null;
private workspaceId: string | null = null;
private createdIssueIds: string[] = [];
async login(email: string, name: string) {
// Step 1: Send verification code
const sendRes = await fetch(`${API_BASE}/auth/send-code`, {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ email }),
});
if (!sendRes.ok) {
// Rate limited — code already sent recently, read it from DB
if (sendRes.status !== 429) {
throw new Error(`send-code failed: ${sendRes.status}`);
}
}
// Step 2: Read code from database
const client = new pg.Client(DATABASE_URL);
await client.connect();
try {
const result = await client.query(
"SELECT code FROM verification_code WHERE email = $1 AND used = FALSE AND expires_at > now() ORDER BY created_at DESC LIMIT 1",
[email]
);
if (result.rows.length === 0) {
throw new Error(`No verification code found for ${email}`);
}
const code = result.rows[0].code;
// Step 3: Verify code to get JWT
const verifyRes = await fetch(`${API_BASE}/auth/verify-code`, {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ email, code }),
});
const data = await verifyRes.json();
this.token = data.token;
// Update user name if needed
if (name && data.user?.name !== name) {
await this.authedFetch("/api/me", {
method: "PATCH",
body: JSON.stringify({ name }),
});
}
return data;
} finally {
await client.end();
}
}
async getWorkspaces(): Promise<TestWorkspace[]> {
const res = await this.authedFetch("/api/workspaces");
return res.json();
}
setWorkspaceId(id: string) {
this.workspaceId = id;
}
async ensureWorkspace(name = "E2E Workspace", slug = "e2e-workspace") {
const workspaces = await this.getWorkspaces();
const workspace = workspaces.find((item) => item.slug === slug) ?? workspaces[0];
if (workspace) {
this.workspaceId = workspace.id;
return workspace;
}
const res = await this.authedFetch("/api/workspaces", {
method: "POST",
body: JSON.stringify({ name, slug }),
});
if (res.ok) {
const created = (await res.json()) as TestWorkspace;
this.workspaceId = created.id;
return created;
}
const refreshed = await this.getWorkspaces();
const created = refreshed.find((item) => item.slug === slug) ?? refreshed[0];
if (created) {
this.workspaceId = created.id;
return created;
}
throw new Error(`Failed to ensure workspace ${slug}: ${res.status} ${res.statusText}`);
}
async createIssue(title: string, opts?: Record<string, unknown>) {
const res = await this.authedFetch("/api/issues", {
method: "POST",
body: JSON.stringify({ title, ...opts }),
});
const issue = await res.json();
this.createdIssueIds.push(issue.id);
return issue;
}
async deleteIssue(id: string) {
await this.authedFetch(`/api/issues/${id}`, { method: "DELETE" });
}
/** Clean up all issues created during this test. */
async cleanup() {
for (const id of this.createdIssueIds) {
try {
await this.deleteIssue(id);
} catch {
/* ignore — may already be deleted */
}
}
this.createdIssueIds = [];
}
getToken() {
return this.token;
}
private async authedFetch(path: string, init?: RequestInit) {
const headers: Record<string, string> = {
"Content-Type": "application/json",
...((init?.headers as Record<string, string>) ?? {}),
};
if (this.token) headers["Authorization"] = `Bearer ${this.token}`;
if (this.workspaceId) headers["X-Workspace-ID"] = this.workspaceId;
return fetch(`${API_BASE}${path}`, { ...init, headers });
}
}
Reference in a new issue View git blame Copy permalink