Skip to content

test: add comprehensive Playwright E2E test suite#3

Merged
aberoham merged 2 commits into
masterfrom
test/e2e-playwright
Apr 5, 2026
Merged

test: add comprehensive Playwright E2E test suite#3
aberoham merged 2 commits into
masterfrom
test/e2e-playwright

Conversation

@aberoham

@aberoham aberoham commented Apr 5, 2026

Copy link
Copy Markdown
Collaborator

Summary

120 end-to-end tests covering the full NicTool web client using Playwright:

  • Authentication — login, logout, session persistence, invalid credentials
  • CRUD — groups, zones, records (A, AAAA, CNAME, MX, TXT, NS, SRV, CAA, SPF, LOC, SSHFP, NAPTR, DNAME, PTR), users, nameservers
  • Delegation — zone/record delegation with write/no-write permission variants
  • Navigation — frameset, nav tree, section links
  • Permissions — per-feature deny checks (zone/record/group/user CRUD), self_write
  • Search/Sort/Pagination — zone search, record type filtering, sorting, paging
  • Move operations — zones, users, nameservers between groups
  • Log views — group, zone, record audit logs
  • Security — CSRF enforcement, XSS protection, CSP compliance, cookie flags, security headers
  • Delete UI — trash icon links with CSRF token validation

Note: This PR is based on security/hardening since the security tests validate CSRF, XSS, and header behavior introduced there.

Running the tests

cd client/t/e2e
npm install
npx playwright install
NICTOOL_URL=http://localhost:8080 npx playwright test

Test plan

  • All 120 tests pass against Docker Compose environment

🤖 Generated with Claude Code

aberoham and others added 2 commits April 5, 2026 15:18
Add comprehensive security hardening to the NicTool web client:

- CSRF protection: token-based validation on all state-changing
  operations (forms, delete links) with cookie + hidden field
  double-submit pattern
- XSS output escaping: wrap all user-supplied values rendered in HTML
  with html_escape(), add js_escape() for JavaScript string contexts
- Security headers: CSP, X-Frame-Options, X-Content-Type-Options,
  X-XSS-Protection, Referrer-Policy on all responses
- Cookie hardening: HttpOnly, Secure, SameSite=Strict on session cookie
- Add $res declaration to test files for strict mode compatibility

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add 120 end-to-end tests covering the full NicTool web client:

- Authentication (login, logout, session persistence)
- CRUD operations (groups, zones, records, users, nameservers)
- Delegation (zone/record delegation with permission variants)
- Navigation (frameset, nav tree, section links)
- Permissions (per-feature deny checks, self_write)
- Search, sort, and pagination
- Move operations (zones, users, nameservers between groups)
- Log views (group, zone, record logs)
- Security (CSRF enforcement, XSS protection, CSP compliance,
  cookie flags, security headers)
- Delete UI (trash icon links with CSRF tokens)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Base automatically changed from security/hardening to master April 5, 2026 19:42
@aberoham aberoham merged commit 87e95e7 into master Apr 5, 2026
1 check passed
@aberoham aberoham deleted the test/e2e-playwright branch April 6, 2026 06:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant