Skip to content

Authenticated E2E via env-gated preview test-login (no prod skeleton key) #355

Description

@mcull

Goal: let CI / an agent test session-gated flows (autocomplete, join, borrow requests, admin) end-to-end, without a production backdoor.

Explicitly NOT a prod skeleton key. A standing master credential that logs in as anyone is a backdoor — one leak = full account takeover, and it muddies the audit trail. Test the same build in a non-prod env instead.

Approach

  • Test preview deploys backed by the staging DB (depends on Set up a real staging/dev db instance #251 / P0-6), not the live prod deployment — real user data stays untouched.
  • Add a test-only login path that physically cannot exist in prod:
    • Option A (lightest): a signed-JWT helper. The app uses JWT sessions (NEXTAUTH_SECRET), so a helper can forge a valid session cookie for a seeded test user — headless, no UI (works for curl + Playwright storageState).
    • Option B: a NextAuth test credentials provider that mints a session for an allowlisted test user given a secret; Playwright logs in once and reuses the cookie.

Guardrails (non-negotiable)

  • Hard kill switch: if (process.env.VERCEL_ENV === 'production') → 404.
  • Requires E2E_LOGIN_SECRET, set only on Preview, never Production.
  • Only logs in allowlisted test users, never arbitrary emails.
  • Seed those test users in staging only.

Payoff: full authenticated E2E coverage on preview (extends the existing e2e.yml Playwright setup), and lets the agent verify authed changes directly instead of relying on manual checks.

Depends on: #251 (staging DB). Sequence right after it.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2Normal priorityinfraInfrastructure / operationsws:infraInfrastructure, security, deploy, observability

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions